Skip to content
Elasticsearch alerting made simple.
Branch: master
Clone or download
Latest commit fa34a42 May 21, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
config Add username/password options for ES auth Feb 13, 2019
nginx_config Unit testing (#113) Mar 18, 2019
public Fix issue with cron schedule; different simpler UI for setting schedule. Dec 18, 2018
rules Add support for timestamps as date field. Fix various bugs. Oct 30, 2018
src Fix issue pasting rich text into subject/body. May 10, 2019
tests Bump timeout for unit test May 8, 2019
.browserslistrc init Sep 10, 2018
.dockerignore Add Dockerfile for running app in prod. Update README with instructions. Sep 20, 2018
.drone.yml Bump timeout for unit test May 8, 2019
.eslintrc.js Unit testing (#113) Mar 18, 2019
.gitignore Use docker compose Oct 22, 2018
CREDITS.TXT Update docs. Dont allow test to be run until local validation passes. Oct 19, 2018
Dockerfile Unit testing (#113) Mar 18, 2019
LICENSE Create LICENSE Sep 28, 2018 0.3.7 May 21, 2019 Update Apr 2, 2019 Update May 3, 2019
babel.config.js Setup unit tests + tests for alertText and lucene syntax funcs + fix … Oct 22, 2018
cypress.json init Sep 10, 2018
docker-compose.yml Don't use PWD in docker-compose Oct 23, 2018
package-lock.json Update unit test run method for faster performance. Update element-ui… May 7, 2019
package.json 0.3.7 May 21, 2019
postcss.config.js init Sep 10, 2018 Update unit tests (+6 squashed commits) Mar 21, 2019
vue.config.js Unit testing (#113) Mar 18, 2019

Praeco is an alerting tool for Elasticsearch – a GUI for ElastAlert, using the ElastAlert API.

  • Interactively build alerts for your Elasticsearch data using a query builder
  • Preview results in an interactive chart
  • Test your alerts against historical data
  • Send notifications to Slack, Email or an HTTP POST endpoint
  • Supports the Any, Blacklist, Whitelist, Change, Frequency, Flatline, Spike and Metric Aggregation rule types
  • View logs of when your alerts check, fire and fail


Run the app using Docker compose. Praeco includes everything you need to get started. Just provide it the IP address of your Elasticsearch instance.

export PRAECO_ELASTICSEARCH=<your elasticsearch ip>
docker-compose up

ℹ️ Don't use for PRAECO_ELASTICSEARCH. See first item under the Troubleshooting section.

ℹ️ To set up Slack and Email notifications, edit rules/BaseRule.config.

Praeco should now be available on

A walkthrough article is available to guide you through creating your first rule.


docker pull servercentral/praeco; docker pull servercentral/elastalert
docker-compose up --force-recreate --build; docker image prune -f

You may need to update your config files when a new version comes out. Please see for version-specific instructions.


Edit rules/BaseRule.config, config/api.config.json, config/elastalert.yaml, and/or public/praeco.config.json for advanced configuration options. See the api docs and the example elastalert config for more information.

Any Elastalert option you put into rules/BaseRule.config will be applied to every rule.

The following config settings are available in praeco.config.json:

// Link back to your praeco instance, used in Slack alerts
"appUrl": "http://praeco-app-url:8080",

// A recordatus ( instance for javascript error reporting
"errorLoggerUrl": "",

// Hide these fields when editing rules, if they are already filled in template
"hidePreconfiguredFields": []


How do I connect to elasticsearch using SSL?

Edit config/api.config.json and set/add "es_ssl": true.

How do I connect to elasticsearch with a username and password?

Edit es_username and es_password in config/api.config.json and config/elastalert.yaml.

How do I serve the praeco UI over https?

The praeco UI is served by an included nginx server (see Dockerfile). Configure it as you would any nginx project by editing the files in nginx_config. Then update your docker-compose.yml and add your certificate files (under webapp volumes). Another option is using a reverse proxy.

How do I change the writeback index?

Edit config/elastalert.yaml and config/api.config.json and change the writeback_index values.

How do I change elastalert options, like SSL, user/pass, etc?

Edit config/elastalert.yaml and uncomment the appropriate lines.

How do I run this on Windows?

First, install docker and docker-compose.

Then, using powershell, run these commands:

docker-compose.exe up

Replace with your Elasticsearch IP.

Can I import my current elastalert rules into praeco?

Unfortunately this is not a possibility for two reasons. First, praeco only supports a subset of elastalert features, so only certain rules would work. Second, praeco cannot automatically create the query builder ui from an arbitrary elastalert filter entry, due to the potential complexity and combinations of filters someone can put in their rule file.

Can I export my praeco rules into another elastalert instance?

Yes, the praeco rule files are 100% compatible with other elastalert servers.


I am using for PRAECO_ELASTICSEARCH and it isn't working

Praeco, running within a docker container, cannot communicate with your ES bound to localhost. You need to change your ES setting to something different. The value of _site_ is suggested, that will bind to a local network IP on your machine. Then use that IP address for PRAECO_ELASTICSEARCH. Here's a working example:

elasticsearch -E
docker-compose up

Replace with the IP address your ES binds to (look for bound_addresses in the elasticsearch launch log).

I am getting high CPU usage on some of my rules

When editing a rule, click "WITH OPTIONS" and try using the "Use count query" option. This can dramatically speed up processing time for large amounts of data (tens of thousands of results).

I'm not receiving alerts even though I expect them

First of all, try to test your alert with varying time frames and see if that is returning any results.

If the test is returning results, but you are not receiving any alerts, check the error log. There may be a problem with your slack or email settings. Make sure you edited rules/BaseRule.config and have correct values in there.

If the test is not returning results, even though you think it should, try reading the elastalert docs for your rule type. Compare the yaml from praeco with the options from the docs to make sure the rule is being created as expected. If praeco is generating the wrong yaml, please file an issue.

Failed to establish a new connection: [Errno 111] Connection refused

You will see this error when launching if praeco cannot find elasticsearch at the IP address you specified at $PRAECO_ELASTICSEARCH. Please make sure you can communicate with this IP address by issuing the following command: curl http://$PRAECO_ELASTICSEARCH:9200. If the connection is refused, your machine cannot communicate with Elasticsearch, it may be a networking problem.

404 error in error log for slack webhook

Make sure the channel/username you are trying to post to exists.

Architecture details

Praeco is a vue.js app (hosted in an nginx docker container) that communicates with the elastalert api (running in another docker container) to view/edit rules. The elastalert api interacts with the included elastalert python daemon directly for various tasks including testing and silencing rules, and indirectly by modifying or creating rule files in the rules/ directory.

When you run praeco using the quickstart instructions, it runs these two docker containers, per the docker-compose.yml file.

Praeco uses a fork of the elastalert api server, which is why the docker image source is servercentral/elastalert.

NOTE: Only the api server is a fork, the elastalert daemon itself is built from the master branch whenever a new version of the servercentral/elastalert docker image is created.

Please see the development section below if you're interested in running these services separately.


First, you need a local copy of the elastalert api server running, which itself needs elastalert. Start by cloning the neccessary repos

git clone
git clone
git clone

Setting up elastalert

Configure the elastalert config.yaml with:

  • Your es_host
  • A unique writeback_index
  • Change the rules_folder to rules
cd ~/elastalert
mkdir rules rule_templates
pip install -r requirements-dev.txt
cp config.yaml.example config.yaml
vi config.yaml

Setting up the API server

Configure the api server config.json with:

  • An absolute path to your elastalert folder for elastalertPath
  • The address of your elasticsearch instance for es_host
  • The same writeback_index from the config.yaml
cd ~/elastalert-server
vi config/config.json
npm install
npm run start

You should see this line if it started successfully:

INFO elastalert-server: Server:  Server started

Setting up praeco

Finally, run praeco:

cd ~/praeco
npm install
export PRAECO_ELASTICSEARCH=<your elasticsearch ip>
npm run serve

You should now see the UI running at http://localhost:8080.

If you have any difficulties please open a github issue with your problem.

Sponsored by

You can’t perform that action at this time.