Hadoop Tutorials.CO.IN
Big Data - Hadoop - Hadoop Ecosystem - NoSQL - Spark

Real Time Alerting using ElasticSearch Watcher

by Tanmay Deshpande

In earlier articles we saw how to install ElasticSearch, Logstash and Kibana to perform instant log analytics. In this article, we are going to talk about a newly released(beta2) plugin by elastic.co To follow this tutorial you need to have ElasticSearch installed on your machine. In case you haven't done that here is an article to do so

In this tutorial, we would try to address a very common use case many of us might be trying to solve is generating real time alerts as soon as a certain event occurs. E.g. Consider we are indexing all security events being generated on ElasticSearch and we want to get an email alert for every CRITICAL event being indexed. To solve this and simillar types of needs, here is what we need do.

Installing Watcher Plugin

Unlike many other ElasticSearch plugins, Watcher is NOT free of cost, you need to get license for the same As its in beta test mode, we can get beta license for the same. To know more about it, please contact elastic.co Here I am using ElasticSearch v1.5.2. To install Watcher Plugin execute following command.

bin/plugin -i elasticsearch/watcher/< your-watcher URL>
You also need to install ElasticSearch License Plugin. As shown below.
bin/plugin -i elasticsearch/license/latest

Please make sure, you are connected to internet while installing plugins as it downloads the installers from the internet first and then installs.

To verify that the Watcher plugin is installed, you can check via following API. In order to invoke APIs, you can POSTMAN REST Client

GET http://localhost:9200/_watcher/stats?pretty
Response : 
			"watcher_state": "started",
			"watch_count": 0,
			"execution_queue": {
				"size": 0,
				"max_size": 0

Creating an Index

As per our usecase, we would be creating a index which would save all security events occuring. To do so let's first create an index called 'events' as shown below.

    "settings" : {
        "number_of_shards" : 1
    "mappings" :{
    "event": {
        "properties": {
            "eventId": {
                "type": "integer"
			"eventName": {
                "type": "string"
			"eventDescription": {
                "type": "string"
			"eventCategory": {
                "type": "string"
			"eventType": {
                "type": "string"

    "acknowledged": true

Creating a Watcher

Once the index is created, it's time to create the watcher, here we would be creating a Watcher which would send an email notification everytime it gets a CRITICAL event on 'event' index. Here is an API create the watcher

PUT http://localhost:9200/_watcher/watch/event_critical_watch
    "trigger": {
        "schedule": {
            "interval": "60s"
    "input": {
        "search": {
            "request": {
                "indices": [
                "body": {
                    "query": {
                        "match": {
                            "eventCategory": "CRITICAL"
    "condition": {
        "compare": {
            "ctx.payload.hits.total": {
                "gt": 0
    "actions": {
        "email_admin": {
            "email": {
                "to": "'Tanmay Deshpande < tanmay.avinash.deshpande@gmail.com >'",
                "subject": "{{ctx.watch_id}} executed",
                "body": "{{ctx.watch_id}} executed with {{ctx.payload.hits.total}} hits"

Here we have created a watcher which will get executed every 60 seconds. You can modify the interval as per you convience.

Configuring SNMP Settings

To enable Email notifications, we need to configure ElasticSearch settings and need to provide an account from which the mails woudl be sent. Here I will be using Gmail account settings. To enable that please updated conf/elasticsearch.yml file as shown below.

        profile: gmail
            auth: true
            starttls.enable: true
            host: smtp.gmail.com
            port: 587
            user: your-email@gmail.com
            password: your-password

Once the configuration is done, restart the elasticsearch and get ready to see alerting in action.

Now we will put an event document with eventCategory as CRITICAL you should see the email getting triggered with details in your account

Here is a sample event.

PUT	http://localhost:9200/event/event/1
	"eventId" : 1,
	"eventName" : "3 failed login attempts",
	"eventDescription" : "System has detected 3 failed login attempts",
	"eventCategory" : "CRITICAL",
	"eventType" : "LOG"

Everything goes Ok, you should see an email like this

Now you can keep playing with it and let us know your feedback on this article.


Follow us on Twitter

Recommended for you