LoginStart for Free

Search Guard Integration

Connect Search Guard Signals alerts to ilert to forward watch-triggered events – like log‑based auth failures or node issues – to on‑call responders quickly.

By integrating Search Guard Signals with ilert, you can route custom-defined alerts – such as detected failed authentications, TLS certificate expirations, or node disconnects – from Elasticsearch logs or metrics into your on-call workflows. These technical alerts trigger ilert’s escalation policies and ensure that responders are notified promptly, enhancing the security and operational stability of your cluster.

In ilert: Create a Search Guard alert source

  1. Go to Alert sources --> Alert sources and click on Create new alert source

  2. Search for Search Guard in the search field, click on the Search Guard tile and click on Next.

  3. Give your alert source a name, optionally assign teams and click Next.

  4. Select an escalation policy by creating a new one or assigning an existing one.

  5. Select you Alert grouping preference and click Continue setup. You may click Do not group alerts for now and change it later.

  6. The next page show additional settings such as customer alert templates or notification prioritiy. Click on Finish setup for now.

  7. On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

In Search Guard: Create watch

  1. Go to Search Guard to open the main menu and choose Search Guard -> Signals

  1. On the next page click on the New button to create a new watch

  1. On the next view name the watch e.g. My Watch scroll down and configure the watch to your liking.

  1. Scroll down to Actions and add the Webhook action

  1. Name the action e.g. iLert, paste the Webhook URL that you generated in ilert, change headers as required and paste the following json as body template

{
  "incidentKey": "{{watch.id}}",
  "summary": "SearchGuard alert: {{watch.id}}",
  "details": "Problem occurred at {{execution_time}}",
  "serverUrl": "https://my-server.com"
}

  1. Click on Create to save the watch.

  2. Finished! Your Elastic Search Guard alerts will now create alerts in ilert.

FAQ

Will alerts in ilert be resolved automatically?

No, unfortunately Search Guard watch(es) will not fire resolve events for alerts.

Can I connect Search Guard with multiple alert sources from ilert?

Yes, simply create more watches in Search Guard.

PreviousSamsara IntegrationNextSematext Integration

Last updated

Was this helpful?