Elasticsearch Watcher Integration

Elasticsearch Watcher is the alerting and notification product for Elasticsearch that lets you take action based on changes in your data. OpsGenie is an alert and notification management solution that is highly complementary to Elasticsearch Watcher.

What does OpsGenie offer to Elasticsearch Watcher users?

By using OpsGenie Elasticsearch Watcher Integration, you can forward Elasticsearch Watcher alerts to OpsGenie. OpsGenie can determine the right people to notify based on on-call schedules, using email, text messages (SMS), phone calls and iOS & Android push notifications, and escalating alerts until the alert is acknowledged or closed.

Functionality of the integration

  • When an alert is fired by Elasticsearch Watcher, an alert is created in OpsGenie automatically through the integration.
  • When the alert is acknowledged in OpsGenie, the alert will be acknowledged in Elasticsearch Watcher.

Add Elasticsearch Watcher Integration in OpsGenie

  1. Please create an OpsGenie account if you haven't done already
  2. Go to OpsGenie Elasticsearch Watcher Integration page,
  3. Specify who should be notified for Elasticsearch Watcher alerts using the "Teams" field. Auto-complete suggestions will be provided as you type. 
  4. Copy the code in "Configuration in Elasticsearch Watcher" section of this document.
  5. Click on "Save Integration".

Configuration in Elasticsearch Watcher

  1. Paste the code below in Elasticsearch.
  2. Configure your alert settings in Elasticsearch Watcher.
  3. For more information about Elasticsearch Watcher, you can refer to Elasticsearch Watcher Documentation.
  4. Replace "[YOUR API KEY]" with the API Key of the integration.
PUT _watcher/watch/[WATCH ID]
{
    [OTHER CONFIGURATIONS OF YOUR ELASTICSEARCH WATCHER ALERT]
    .
    .
    .
    .
    .

    "actions" : {
        "opsgenie" : {
            "webhook" : {
                "scheme" : "https",
                "method" : "POST",
                "host" : "api.opsgenie.com",
                "port" : 443,
                "path" : "/v1/json/eswatcher",
                "headers" : {
                    "Content-Type" : "application/json"
                },
                "params": {
                    "apiKey": "[YOUR API KEY]"
                },
                "body" : "{{#toJson}}ctx{{/toJson}}"
            }
        }
    }
}

Acknowledging Alerts in Elasticsearch Watcher (Optional)

  • You can set the integration to automatically acknowledge an alert in Elasticsearch Watcher, when you acknowledge the alert in OpsGenie.
  • In order to do this, you should select "Acknowledge Alerts in Elasticsearch Watcher" option in integration settings.
  • After enabling this option, you will see two fields to be filled.
  • Fill "Elasticsearch Watcher Action Id" field with your Action Id.
  • Fill "Elasticsearch Watcher Host URL" field with the URL address of your server.
  • You should specify the full URL address as [protocol]://yourserveraddr:[port]. (e.g. http://yourserver.com:9200)

Sample Payload

{
  "id": "event_critical_watch_249-2016-09-28T11:31:05.955Z",
  "vars": {},
  "trigger": {
    "triggered_time": "2016-09-28T11:31:05.955Z",
    "scheduled_time": "2016-09-28T11:31:05.511Z"
  },
  "execution_time": "2016-09-28T11:31:05.955Z",
  "watch_id": "event_critical_watch",
  "payload": {
    "hits": {
      "total": 1,
      "hits": [
        {
          "_type": "event",
          "_source": {
            "eventDescription": "System has detected 3 failed login attempts",
            "eventId": 1,
            "eventName": "3 failed login attempts",
            "eventType": "LOG",
            "eventCategory": "CRITICAL"
          },
          "_id": 1,
          "_index": "event",
          "_score": 0.30685282
        }
      ],
      "max_score": 0.30685282
    },
    "_shards": {
      "total": 1,
      "failed": 0,
      "successful": 1
    },
    "timed_out": false,
    "took": 1
  },
  "metadata": "null"
}

Sample alert