search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.73k forks source link

ElastAlert as a systemd service #1566

Open sonfrau opened 6 years ago

sonfrau commented 6 years ago

One year ago, we installed your 0.1.12 version following this procedure:

apt-get install git python-pip python-setuptools build-essential libssl-dev libffi-dev python-dev
pip install --upgrade pip
git clone https://github.com/Yelp/elastalert.git
cd elastalert
sudo python setup.py install
sudo pip install -r requirements.txt
sudo pip install "requests-oauthlib==0.5.0"
sudo pip install "requests==2.2.1"
sudo pip install "cryptography==1.7"
sudo pip install "elasticsearch>=5.0.0"

We were using ElastAlert successfully set as a systemd service with these settings:

# Service definition for ElastAlert
#
[Unit]
Description=ElastAlert - Easy & Flexible Alerting With Elasticsearch
Documentation=https://elastalert.readthedocs.io
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=xtg
Group=xtg
#Restart=on-failure
WorkingDirectory=/home/xtg/elastalert/
ExecStart=/usr/local/bin/elastalert
#ExecStart=/usr/local/bin/elastalert --rule example_rules/squid_allowed_url.yaml

[Install]
WantedBy=multi-user.target

We've upgraded our ElasticSearch from 5.4x to 6.1.1 and then our ElastAlert to 0.1.29.

To upgrade ElastAlert we have applied this command: sudo -H pip install -U elastalert

From then we cannot start our elastalert.service, we've got this error:

-- Logs begin at Thu 2018-02-22 10:08:07 UTC. --
Feb 22 11:06:28 cerebropci elastalert[107421]: **ImportError: No module named elastalert.elastalert**
Feb 22 11:06:28 cerebropci systemd[1]: elastalert.service: Main process exited, code=exited, status=1/FAILURE
Feb 22 11:06:28 cerebropci systemd[1]: elastalert.service: Unit entered failed state.
Feb 22 11:06:28 cerebropci systemd[1]: elastalert.service: Failed with result 'exit-code'.

However, if we use the root user on the systemd service definition, the service starts.

Would you give me any clue about this change on the behaviour? We'd like to keep using our regular user.

Thanks and kind regards

zozo6015 commented 6 years ago

This works for me like a charm

[Unit]
Description=Severe_logalerts
After=elasticsearch.service

[Service]
Type=simple
WorkingDirectory=/opt/elastalert
ExecStart=/usr/local/bin/elastalert --verbose --config /opt/elastalert/config.yaml

[Install]
WantedBy=multi-user.target
q2dg commented 5 years ago

Could a sample .service file be part of the official ElasticAlert's distribution? Thanks!