Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dmdhrumilmistry/elk-alerts
ELK slack integration alternative for alerting
https://github.com/dmdhrumilmistry/elk-alerts
blue-team-tool elk elk-alerts slack-bot slack-webhook
Last synced: 19 days ago
JSON representation
ELK slack integration alternative for alerting
- Host: GitHub
- URL: https://github.com/dmdhrumilmistry/elk-alerts
- Owner: dmdhrumilmistry
- Created: 2023-08-22T16:52:31.000Z (over 1 year ago)
- Default Branch: master
- Last Pushed: 2023-08-23T12:09:17.000Z (over 1 year ago)
- Last Synced: 2024-05-01T16:30:52.516Z (8 months ago)
- Topics: blue-team-tool, elk, elk-alerts, slack-bot, slack-webhook
- Language: Go
- Homepage:
- Size: 14.6 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# ELK alerts
Simple Alerting tool which queries elasticsearch for data, filters it and sends alerts on slack.
## Installation
### Using GO Install
```bash
go install github.com/dmdhrumilmistry/elk-alerts@latest
```
### Using git clone
```bash
git clone https://github.com/dmdhrumilmistry/elk-alerts.git
cd elk-alerts
go install
```
## Usage
- Basic Usage
```bash
elk-alerts -f config.yaml
```
- Set crontab for periodic alerts
## Example Config file
```yaml
# this can help to detect directory bruteforcing
elk_host: http://localhost:9200
elk_username: elk_alerts
elk_password: 'your_super_secure_password'
elk_index: 'your-index-*'
elk_threshold: 100
elk_query: |
{
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
},
{
"term": {
"response.keyword": {
"value": 404
}
}
}
]
}
},
"size": 0,
"aggs": {
"aggs_data": {
"terms": {
"field": "client_ip.keyword"
}
}
}
}
# aggs must contain aggs_data
whitelist: ['1.1.1.1','1.0.0.1']
# slack webhook configs
slack_webhook: https://hooks.slack.com/services/your/slack/webhook
slack_message_title: "*Test Message* :bomb:"
```
- `elk_alerts` must have read only permission to work.
- replace `elk_query` param with query from elk devtools console.
- Tool provide option to whitelist ips from alerts.
- `aggs` must have `aggs_data` key in order to work correctly.