Kibana Alert - 3rd

ElastAlert도 대안이 될 수 있다. pip로는 설치가 잘 되지 않아서 가상 환경을 자동으로 지원한다는 pipx로 WSL 우분투에 설치.

root@easyDATA:~# apt install pipx
root@easyDATA:~# pipx install elastalert2
 installed package elastalert2 2.29.0, installed using Python 3.12.3 These apps are now globally available - elastalert - elastalert-create-index - elastalert-test-rule ⚠️ Note: '/root/.local/bin' is not on your PATH environment variable. These apps will not be globally accessible until your PATH is updated. Run pipx ensurepath to automatically add it, or manually modify your PATH in your shell's config file (i.e. ~/.bashrc). done!
root@easyDATA:~# ls .local/bin/
elastalert  elastalert-create-index  elastalert-test-rule

실행 파일 경로 지정.

root@easyDATA:~# pipx ensurepath
Success! Added /root/.local/bin to the PATH environment variable. Consider adding shell completions for pipx. Run 'pipx completions' for instructions. You will need to open a new terminal or re-login for the PATH changes to take effect. Otherwise pipx is ready to go!
root@easyDATA:~# exec $SHELL

다음은 엘라스틱 연동을 위한 config.yaml 설정.

rules_folder: /root/elastalert/rule
run_every:
  minutes: 1
buffer_time:
  minutes: 1

es_host: 192.168.56.1
es_port: 9200
use_ssl: True
es_username: elastic
es_password: password
ca_certs: /mnt/d/elk/v9/elasticsearch-9.3.3/config/certs/http_ca.crt

writeback_index: elastalert_status
alert_time_limit:
  minutes: 1

smtp_host: "smtp.gmail.com"
smtp_port: 465
smtp_ssl: true
from_addr: "mhkang589@gmail.com"
smtp_auth_file: "/root/elastalert/smtp_auth.yaml"

ElastAlert 용 인덱스 생성.

root@easyDATA:~# elastalert-create-index --config elastalert/config.yaml
Reading Elastic 8 index mappings:
Reading index mapping 'es_mappings/8/silence.json'
Reading index mapping 'es_mappings/8/elastalert_status.json'
Reading index mapping 'es_mappings/8/elastalert.json'
Reading index mapping 'es_mappings/8/past_elastalert.json'
Reading index mapping 'es_mappings/8/elastalert_error.json'
New index elastalert_status created
Done!

다음은 각각 이메일 경보 발송을 위한 smtp_auth.yaml과 

user: "mhkang589@gmail.com"
password: "app password"

rule.yaml 설정.

name: TEST - sysmon occur
type: frequency
index: ubuntu

timestamp_field: "@timestamp"
num_events: 4
timeframe:
  minutes: 1

filter:
- query:
    query_string:
      query: "event.system.provider.name: Linux-Sysmon"

include: ["message"]

alert:
- "email"
email:
- "mhkang589@gmail.com"

ElastAlert 실행.

root@easyDATA:~# elastalert --config elastalert/config.yaml --verbose
INFO:elastalert:1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999885 seconds
INFO:elastalert:Queried rule TEST - sysmon occur from 2026-04-20 18:31 KST to 2026-04-20 18:32 KST: 8 / 8 hits
INFO:elastalert:Sent email to ['mhkang589@gmail.com']
INFO:elastalert:Ignoring match for silenced rule TEST - sysmon occur
INFO:elastalert:Ran TEST - sysmon occur from 2026-04-20 18:31 KST to 2026-04-20 18:32 KST: 8 query hits (0 already seen), 2 matches, 1 alerts sent

관련 글

• Kibana Alert - 2nd
• Kibana Alert
• Watcher 맛보기