docker-compose

  
version: '3.3'  
  
services:  
  elasticsearch:  
    build:  
      context: elasticsearch/  
    volumes:  
      #- ./elasticsearch/esdata:/usr/share/elasticsearch/data:rw  
      - alldata:/usr/share/elasticsearch/data:rw  
      #- ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro  
    ports:  
      - "9200:9200"  
      - "9300:9300"  
    environment:  
      - bootstrap.memory_lock=true  
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"  
    ulimits:  
      memlock:  
        soft: -1  
        hard: -1  
      nofile:  
        soft: 65536  
        hard: 65536  
    networks:  
      - fastdev  
  
  logstash:  
    build:  
      context: logstash/  
    volumes:  
      - ./logstash/config/logstash.yml:/etc/logstash/logstash.yml:ro  
      - ./logstash/pipeline:/etc/logstash/conf.d:ro  
    ports:  
      - "5000:5000"  
      - "5044:5044"  
    environment:  
      LS_JAVA_OPTS: "-Xmx256m -Xms256m"  
    networks:  
      - fastdev  
    depends_on:  
      - elasticsearch  
  
  kibana:  
    build:  
      context: kibana/  
    volumes:  
      - ./kibana/config/:/usr/share/kibana/config:ro  
    ports:  
      - "5601:5601"  
    networks:  
      - fastdev  
    depends_on:  
      - elasticsearch  
  
  fakelog:  
    build:  
      context: fakelog/  
    volumes:  
      - ./fakelog/logs:/ethereum-etl/output/:rw  
    networks:  
      - fastdev  
  
  elastalert:  
    build:  
      context: elastalert/  
    volumes:  
      - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json:ro  
      - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml:ro  
      - ./elastalert/rules:/opt/elastalert/rules:rw  
      - ./elastalert/rule_templates:/opt/elastalert/rule_templates:ro  
    ports:  
      - "3030:3030"  
    #  - "3333:3333"  
    environment:  
      - net=elasticsearch  
    networks:  
      - fastdev  
  
volumes:    
  alldata:   
  
networks:  
  fastdev:  
    driver: bridge  

Only elasticsearch/Dockerfile some error happen because debian mirror. Other YAML see before blogs

  
FROM java:8-jre  
  
# grab gosu for easy step-down from root  
ENV GOSU_VERSION 1.7  
RUN set -x \  
 && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \  
 && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \  
 && export GNUPGHOME="$(mktemp -d)" \  
 && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \  
 && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \  
 && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \  
 && chmod +x /usr/local/bin/gosu \  
 && gosu nobody true  
  
# https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html  
# https://packages.elasticsearch.org/GPG-KEY-elasticsearch  
#RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys 46095ACC8548582C1A2699A9D27D666CD88E42B4  
  
#ENV ELASTICSEARCH_MAJOR 1.7  
#ENV ELASTICSEARCH_VERSION 1.7.5  
#ENV ELASTICSEARCH_REPO_BASE http://packages.elasticsearch.org/elasticsearch/1.7/debian  
  
#RUN echo "deb $ELASTICSEARCH_REPO_BASE stable main" > /etc/apt/sources.list.d/elasticsearch.list  
  
#RUN set -x \  
# && apt-get clean && apt-get update \  
# && apt-get install -y --no-install-recommends elasticsearch=$ELASTICSEARCH_VERSION \  
# && rm -rf /var/lib/apt/lists/*  
  
RUN wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | apt-key add -  
RUN echo "deb http://packages.elastic.co/elasticsearch/1.7/debian stable main" | tee -a /etc/apt/sources.list.d/elasticsearch-1.7.list  
RUN echo "deb [check-valid-until=no] http://archive.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie.list  
RUN echo "deb [check-valid-until=no] http://cdn-fastly.deb.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list  
RUN echo "deb [check-valid-until=no] http://archive.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list  
RUN sed -i '/deb http:\/\/deb.debian.org\/debian jessie-updates main/d' /etc/apt/sources.list  
RUN apt-get -o Acquire::Check-Valid-Until=false update && apt-get install elasticsearch  
  
ENV PATH /usr/share/elasticsearch/bin:$PATH  
  
WORKDIR /usr/share/elasticsearch  
  
RUN set -ex \  
 && for path in \  
  ./data \  
  ./logs \  
  ./config \  
  ./config/scripts \  
 ; do \  
  mkdir -p "$path"; \  
  chown -R elasticsearch:elasticsearch "$path"; \  
 done  
  
COPY config ./config  
  
#VOLUME /usr/share/elasticsearch/data  
  
COPY docker-entrypoint.sh /  
RUN chmod +x /docker-entrypoint.sh  
  
EXPOSE 9200 9300  
ENTRYPOINT ["/docker-entrypoint.sh"]  
CMD ["elasticsearch"]  

ElastAlert/Dockerfile

  
FROM bitsensor/elastalert:latest  

ElastAlert/config/config.json

  
{  
  "appName": "elastalert-server",  
  "port": 3030,  
  "wsport": 3333,  
  "elastalertPath": "/opt/elastalert",  
  "verbose": false,  
  "es_debug": false,  
  "debug": false,  
  "rulesPath": {  
    "relative": true,  
    "path": "/rules"  
  },  
  "templatesPath": {  
    "relative": true,  
    "path": "/rule_templates"  
  },  
  "es_host": "elasticsearch",  
  "es_port": 9200,  
  "writeback_index": "elastalert_status"  
}  

ElastAlert/config/elastalert.yaml

  
es_host: elasticsearch  
es_port: 9200  
rules_folder: rules  
  
# How often ElastAlert will query elasticsearch                  
# The unit can be anything from weeks to seconds  
run_every:  
  seconds: 5  
  #minutes: 1  
# ElastAlert will buffer results from the most recent                                                        
# period of time, in case some log sources are not in real time  
buffer_time:  
  minutes: 15  
# If an alert fails for some reason, ElastAlert will retry                                                   
# sending the alert until this time period has elapsed   
alert_time_limit:  
  minutes: 2  
  #days: 2  
    
writeback_index: elastalert_status  
  
#smtp_host: ""  

ElastAlert/config/rules/test_metric.yaml

  
name: Example rule  
  
# How often ElastAlert will query elasticsearch                  
# The unit can be anything from weeks to seconds  
run_every:  
  seconds: 5  
  #minutes: 1  
# ElastAlert will buffer results from the most recent                                                        
# period of time, in case some log sources are not in real time  
buffer_time:  
  minutes: 15  
# If an alert fails for some reason, ElastAlert will retry                                                   
# sending the alert until this time period has elapsed   
alert_time_limit:  
  minutes: 2  
  #days: 2  
      
type: metric_aggregation  
  
index: filebeat-*  
  
metric_agg_key: project  
metric_agg_type: value_count  
  
#query_key: "name.keyword"  
doc_type: _type  
  
max_threshold: 32  
min_threshold: 19  
  
filter:  
- query:  
    query_string:  
      query: "srctype: geth AND project: hr AND mined AND geth_ip: \"xxx.xxx.xxx.xxx\""  
  
#alert_subject: "No data on dashboard"  
# "|" means remove useless characters  
alert_text: |  
    test attach  
alert_text_args: []  
  
alert:  
- "email"  
email:  
- "1803110@narlabes.org.tw"  

ElastAlert/config/rule_templates

copy file from github or not copy.
https://github.com/Yelp/elastalert/tree/master/example_rules

run ElastAlert or ElastAlert test

  
cd /opt/elastalert  
  
a. elastalert  
  
b. elastalert-test-rule ./rules/test_metric.yaml --start 2019-04-10T08:40:00.000  
  
#At /opt/elastalert run command, it auto load config.yaml on this path. You can find "ls config.yaml".  

And rules (test_metric.yaml) put on path /opt/elastalert/rules

elastalert.yml and config.json put on path /opt/elastalert**-server**/config

`