elastalert這並不是官方的插件，官方是Alerting，是在x-pack底下的功能，詳細如以下連結

https://www.elastic.co/subscriptions

sudo yum -y install epel-release
sudo yum -y install python-pip
pip install "setuptools>=11.3"
git clone https://github.com/Yelp/elastalert.git
cd elastalert

用以下指令安裝

python setup.py install

完成後產生config.yaml，如果沒有cp config.yaml.example config.yaml
config.yaml要修改讀取目錄(輪巡資料夾內的rule)

rules_folder: /usr/share/example_rules 

example_rules內都是範例

建立一個新rule，在收到level是警告訊息發送email

es_host: x.x.x.x
index: winlogbeat-*

filter:
- query:
 query_string:
 query: "level:警告"
alert:
- "email"
email:
- "test@abc.com"
smtp_host: x.x.x.x
smtp_port: 25
email_reply_to: test@abc.com
from_addr: test1@abc.com

假設剛建立的檔名為abc.yaml，指定執行該rule

python -m elastalert.elastalert --verbose --rule abc.yaml

不指定會輪巡rules_folder內的rule執行

python -m elastalert.elastalert

範例流程圖
啟動elastalert使用config.yaml設定檔=>輪巡資料夾內rule=> filter搜尋elasticsearch，match後觸發rule的alert，發送email or command(bash => SNS)

補充
設定成systemctl 開機啟動
https://github.com/Yelp/elastalert/issues/194

vi /lib/systemd/system/elastalert.service

WorkingDirectory檔案路徑
ExecStart指令

[Unit]
Description=elastalert
Wants=network.target
After=elasticsearch.service
[Service]
Environment="CONFFILE=/usr/share/elastalert/config.yaml"
Restart=on-failure
PIDFile=/run/zabbix/zabbix_server.pid
KillMode=control-group
ExecStart=/usr/bin/python /usr/share/elastalert/elastalert/elastalert.py --verbose --config $CONFFILE
ExecStop=/bin/kill -SIGTERM $MAINPID
RestartSec=10s
TimeoutSec=0

[Install]
WantedBy=multi-user.target

#ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service
systemctl daemon-reload
systemctl enable elastalert.service
systemctl start elastalert.service
systemctl status elastalert.service