update elastalert

awx/README.md

@@ -5,5 +5,31 @@ awx
 on top of Ansible. It is the upstream project for [Tower][2], a commercial
 derivative of AWX.
 
+## directory tree
+
+```
+data
+├── projects
+│   └── example
+│       └── playbook.yml
+└── settings
+    ├── SECRET_KEY
+    ├── credentials.py
+    └── environment.sh
+```
+
+## up and running
+
+```
+$ docker-compose up -d
+$ docker-compose exec web bash
+>>> awx-manage inventory_import --inventory-name=xxx --source=/path/to/inventory.ini
+INFO     Reading Ansible inventory source: /path/to/inventory.ini
+INFO     Loaded 1 groups, 30 hosts
+INFO     Inventory import completed for  (xxx - 13) in 1.0s
+>>> exit
+$ curl http://127.0.0.1:8052
+```
+
 [1]: https://github.com/ansible/awx
 [2]: https://www.ansible.com/tower

awx/data/projects/example/playbook.yml

@@ -0,0 +1,7 @@
+- name: example playbook
+  hosts: 127.0.0.1
+  connection: local
+  gather_facts: false
+  tasks:
+  - debug:
+      msg: hello world

awx/docker-compose.yml

@@ -14,10 +14,10 @@ services:
     ports:
       - "8052:8052"
     volumes:
-      - ./data/etc/SECRET_KEY:/etc/tower/SECRET_KEY
-      - ./data/etc/environment.sh:/etc/tower/conf.d/environment.sh
-      - ./data/etc/credentials.py:/etc/tower/conf.d/credentials.py
-      - ./data/awx:/var/lib/awx/projects
+      - ./data/settings/SECRET_KEY:/etc/tower/SECRET_KEY
+      - ./data/settings/environment.sh:/etc/tower/conf.d/environment.sh
+      - ./data/settings/credentials.py:/etc/tower/conf.d/credentials.py
+      - ./data/projects:/var/lib/awx/projects
     depends_on:
       - rabbitmq
       - memcached
@@ -30,10 +30,10 @@ services:
     hostname: awx
     user: root
     volumes:
-      - ./data/etc/SECRET_KEY:/etc/tower/SECRET_KEY
-      - ./data/etc/environment.sh:/etc/tower/conf.d/environment.sh
-      - ./data/etc/credentials.py:/etc/tower/conf.d/credentials.py
-      - ./data/awx:/var/lib/awx/projects
+      - ./data/settings/SECRET_KEY:/etc/tower/SECRET_KEY
+      - ./data/settings/environment.sh:/etc/tower/conf.d/environment.sh
+      - ./data/settings/credentials.py:/etc/tower/conf.d/credentials.py
+      - ./data/projects:/var/lib/awx/projects
     depends_on:
       - rabbitmq
       - memcached

elastalert/Dockerfile

@@ -0,0 +1,29 @@
+#
+# Dockerfile for elastalert
+#
+
+FROM python:3.6-alpine
+
+ENV ELASTALERT_VERSION=v0.2.1
+ENV ELASTALERT_HOME=/opt/elastalert
+
+WORKDIR ${ELASTALERT_HOME}
+
+RUN set -xe \
+    && apk add --no-cache -t .build-deps \
+        build-base \
+        curl \
+        libffi-dev \
+        libmagic \
+        musl-dev \
+        openssl-dev \
+        python-dev \
+        tzdata \
+    && pip install elastalert==${ELASTALERT_VERSION} \
+    && mkdir -p rules \
+    && curl -sSL https://github.com/Yelp/elastalert/raw/${ELASTALERT_VERSION}/config.yaml.example > config.yaml \
+    && apk del .build-deps
+
+VOLUME ${ELASTALERT_HOME}
+
+CMD ["elastalert", "--config", "config.yaml"]

elastalert/README.md

@@ -10,7 +10,7 @@ patterns of interest from data in Elasticsearch.
 $ docker-compose up -d
 $ docker-compose exec elastalert sh
 >>> cd /opt/elastalert/rules
->>> elastalert-test-rule xxx.yaml
+>>> elastalert-test-rule example.yaml
 >>> exit
 ```
 

elastalert/data/config.yaml

@@ -12,7 +12,7 @@ rules_folder: rules
 # How often ElastAlert will query elasticsearch
 # The unit can be anything from weeks to seconds
 run_every:
-  seconds: 60
+  minutes: 1
 
 # ElastAlert will buffer results from the most recent
 # period of time, in case some log sources are not in real time

elastalert/data/rules/example.yaml

@@ -0,0 +1,25 @@
+name: Example rule
+
+es_host: elasticsearch
+es_port: 9200
+
+type: frequency
+
+index: logstash-*
+
+num_events: 10
+
+timeframe:
+  hours: 1
+
+filter:
+- query:
+    query_string:
+      query: 'response:[500 TO *]'
+
+alert:
+- command
+
+command:
+- echo
+- "{match[@timestamp]} {match[message]}"

elastalert/docker-compose.yml

@@ -1,13 +1,13 @@
-elastalert:
-  image: bitsensor/elastalert:2.0.0
-  ports:
-    - "3030:3030"
-    - "3333:3333"
-  volumes:
-    - ./data/config.yaml:/opt/elastalert/config.yaml
-    - ./data/rules:/opt/elastalert/rules
-  external_links:
-    - elk_elasticsearch_1:elasticsearch
-# extra_hosts:
-#   - elasticsearch:1.2.3.4
-  restart: always
+version: "3.7"
+
+services:
+  elastalert:
+    image: vimagick/elastalert
+    volumes:
+      - ./data:/opt/elastalert
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: elk_default