Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite “stash.” In out case we are sending logs to Elasticsearch which our preferred solution to store real-time logs due to the fact that it is very fast to store and read from it.
In Elasticsearch payed version there is a option to send email alerts when a log contains something but in the free one there is not. In order to send alerts at the moment of it’s appear we will need to do dome tricks and we will need to use Logstash as alerter.
In this article, we’ll show you how to configure Logstash to send alert emails based on specific log patterns. Perfect for small-scale monitoring without needing a full alerting system.
Steps to configure email alerts in Logstash:
- Enable
output { email { ... } }in logstash config - Set up SMTP relay or local sendmail
- Add filters to match critical logs
- Restart Logstash and test alerts
In the following snippet we will check content of every log ready to be stored in Elasticsearch and then will send an email alert if it match out condition. This code will need to be placed into the output block of Logstash config.
if "password for user" in [Message] {
email {
from => "from_email_address"
subject => "Login Alert"
to => "destination_email_address"
via => "smtp"
body => "%{Message} generated on host %{Host}"
address => "smtp_mail_server"
port => 587
username => "from_email_address"
password => "from_email_password"
authentication => "LOGIN"
use_tls => true
debug => true
}
}Using this type of alert we will be aware about every server events and we will be able to operate them in a fastest maner.
Looking for full-stack monitoring and alerting solutions?
→ Explore our Security Analytics Service
0 Comments