{"id":15021278,"url":"https://github.com/akagi201/esalert","last_synced_at":"2025-10-27T21:31:52.719Z","repository":{"id":46595863,"uuid":"98487076","full_name":"Akagi201/esalert","owner":"Akagi201","description":"A simple watcher, provides real-time alerts for data in elasticsearch as a replacement for X-Pack","archived":false,"fork":false,"pushed_at":"2021-11-02T09:43:55.000Z","size":3279,"stargazers_count":19,"open_issues_count":0,"forks_count":9,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-10-11T14:22:58.413Z","etag":null,"topics":["alert","elasticsearch","http","log","monitor","slack","watcher"],"latest_commit_sha":null,"homepage":"https://godoc.org/github.com/Akagi201/esalert","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Akagi201.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-07-27T02:52:37.000Z","updated_at":"2023-11-23T09:41:48.000Z","dependencies_parsed_at":"2022-07-20T06:32:14.553Z","dependency_job_id":null,"html_url":"https://github.com/Akagi201/esalert","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Akagi201%2Fesalert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Akagi201%2Fesalert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Akagi201%2Fesalert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Akagi201%2Fesalert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Akagi201","download_url":"https://codeload.github.com/Akagi201/esalert/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":219860665,"owners_count":16556016,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alert","elasticsearch","http","log","monitor","slack","watcher"],"created_at":"2024-09-24T19:56:23.498Z","updated_at":"2025-10-27T21:31:52.384Z","avatar_url":"https://github.com/Akagi201.png","language":"Go","readme":"# esalert\n\n[![Build Status](https://travis-ci.org/Akagi201/esalert.svg)](https://travis-ci.org/Akagi201/esalert) [![Coverage Status](https://coveralls.io/repos/github/Akagi201/esalert/badge.svg?branch=master)](https://coveralls.io/github/Akagi201/esalert?branch=master) [![Go Report Card](https://goreportcard.com/badge/github.com/Akagi201/esalert)](https://goreportcard.com/report/github.com/Akagi201/esalert) [![GoDoc](https://godoc.org/github.com/Akagi201/esalert?status.svg)](https://godoc.org/github.com/Akagi201/esalert)\n\nPackage esalert a simple framework for real-time alerts on data in Elasticsearch.\n\n## Runtime config\n* Esalert's runtime configs.\n* Configs can be passed from command-line, environment or config file.\n\n## Alert config\n* Alert configs contain all the data processing which should be performed.\n* Esalert runs with one or more alerts defined in its configuration, each one operating independant of the others.\n* Alert configs can be in one file or a directory of files.\n* Alert configs use yaml format. Each file contains an array of alerts.\n\n### Alert rule file(s)\n\n```\n# esalert.yml\n- name: alert_foo\n # other alert parameters\n\n- name: alert_bar\n # other alert parameters\n```\n\nOR\n\n```\n# esalert.d/foo.yml\n- name: alert_foo\n # other alert parameters\n\n- name: alert_foo2\n # other alert parameters\n```\n\nand\n\n```\n# esalert.d/bar.yml\n- name: alert_bar\n # other alert parameters\n\n- name: alert_bar2\n # other alert parameters\n```\n\n### Alert document\n\nA single alert has the following fields in its document (all are required):\n\n```\n- name: something_unique\n interval: \"*/5 * * * * *\"\n search_index: # see the search subsection\n search_type: # see the search subsection\n search: # see the search subsection\n process: # see the process subsection\n```\n\n#### name\n\nThis is an arbitrary string to identify the alert. It must be unique amongst all of the defined alerts.\n\n#### interval\n\nA [jobber-style](https://github.com/Akagi201/utilgo/tree/master/jobber) interval string describing when the search should be run and have the process run on the results.\n\n#### search\n\nThe search which should be performed against elasticsearch. The results are simply held onto for the process step, nothing else is done with them at this point.\n\n```\nsearch_index: filebeat-{{.Format \"2006.01.02\"}}\nsearch_type: logs\n# conveniently, json is valid yaml\nsearch: {\n \"query\": {\n \"query_string\": {\n \"query\":\"severity:fatal\"\n }\n }\n}\n```\n\n* See [query dsl](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html) docs for more on how to formulate query objects.\n* See [query string](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax) docs for more on how to formulate query strings.\n* All three fields(`search_index`, `search_type` and `search`) can have go templating applied.\n* See the alert context subsection for more information on what fields/methods are available to use.\n\n#### process\n\nOnce the search is performed the results are kept in the context, which is then passed into this step. The process lua script then checks these results against whatever conditions are desired, and may optionally return a list of actions to take. See the alert context section for all available fields in ctx.\n\n```\nprocess:\n lua_file: ./foo-process.yml\n```\n\nOR\n\n```\nprocess:\n lua_inline: |\n if ctx.HitCount \u003e 10 then\n return {\n {\n type = \"log\",\n message = \"got \" .. ctx.HitCount .. \" hits\",\n }\n }\n end\n -- To indicate no actions, you can return an empty table, nil, or simply\n -- don't return at all\n return {}\n```\n\n##### actions\n\nThe table returned by process is a list of actions which should be taken. Each action has a type and subsequent fields based on that type.\n\n##### log\n\nSimply logs an INFO message to the console. Useful if you're testing an alert and don't want to set up any real actions yet.\n\n```\n{\n type = \"log\",\n message = \"Performing action for alert \" .. ctx.Name,\n}\n```\n\n##### http\n\nCreate and execute an http command. A warning is logged if anything except a 2xx response code is returned.\n\n```\n{\n type = \"http\",\n method = \"POST\", -- optional, defaults to GET\n url = \"http://example.com/some/endpoint?ARG1=foo\",\n headers = { -- optional\n \"X-FOO\" = \"something\",\n },\n body = \"some body for \" .. ctx.Name, -- optional\n}\n```\n\n##### slack\n\nTriggers an event in slack. The --slack-key param must be set in the runtime configuration in order to use this action type.\n\n```\n{\n type = \"slack\",\n text = \"some text\"\n}\n```\n\n## Alert context\n\nThrough its lifecycle each alert has a context object attached to it. The results from the search step are included in it, as well as other data. Here is a description of the available data in the context, as well as how to use it.\n\nNOTE THAT THE CONTEXT IS READ-ONLY IN ALL CASES\n\n### Context fields\n\n```\n{\n Name string // The alert's name\n StartedTS uint64 // The timestamp the alert started at\n\n // The following are filled in by the search step\n TookMS uint64 // Time search took to complete, in milliseconds\n HitCount uint64 // The total number of documents matched\n HitMaxScore float64 // The maximum score of all the documents matched\n\n // Array of actual documents matched. Keep in mind that unless you manually\n // define a limit in your search query this will be capped at 10 by\n // elasticsearch. Usually HitCount is the important data point anyway\n Hits []{\n Index string // The index the hit came from\n Type string // The type the document is\n ID string // The unique id of the document\n Score float64 // The document's score relative to the query\n Source object // The actual document\n }\n\n // If an aggregation was defined in the search query, the results will be\n // set here\n Aggregations object\n}\n```\n\n### In lua\n\nWithin lua scripts the context is made available as a global variable called `ctx`. Fields on it are directly addressable using the above names, for example `ctx.HitCount` and `ctx.Hits[1].ID`.\n\n### In go template\n\nIn some areas go templates, provided by the template/text package, are used to add some dynamic capabilities to otherwise static configuration fields. In these places the context is made available as the root object. For example, {{.HitCount}}.\n\nIn addition to the fields defined above, the root template object also has some methods on it which may be helpful for working with dates. All methods defined on go's time.Time object are available. For example, to format a string into the filebeat index for the current day:\n\n```\nfilebeat-{{.Format \"2006.01.02\"}}\n```\n\nAnd to do the same, but for yesterday:\n\n```\nfilebeat-{{(.AddDate 0 0 -1).Format \"2006.01.02\"}}\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fakagi201%2Fesalert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fakagi201%2Fesalert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fakagi201%2Fesalert/lists"}