Multiple Elastic instances through single Praeco Container

[btvmunoz]

I may be misunderstanding how the configuration for Praeco works but so far everything takes me to believe that it only works on an individual basis, needing additional containers to connect through other instances.

Would this assumption be right and if so would it be feasible/possible to have one Praeco instance monitor different Elasticsearch instances to trigger alarms?

To clarify, we have a number of Elasticsearch instances but we want to alert from specific indices that are available on all of these instances.

[nsano-rururu]

I don't think I can. Even if ElastAlert supports it, it seems that ElastAlertServer only supports one connection.

[btvmunoz]

@nsano-rururu that makes sense, I would assume that the intent of ElastAlert is to only check on one specific instance and not separate ones. Would clustering work or is it the same answer though, just curious.

[nsano-rururu]

I can't say anything because I haven't tried it, but if the connection destination is specified as a representative (like a load balancer), it seems that the cluster ring will work.
Sorry for the vague answer.

[btvmunoz]

@nsano-rururu do not worry, I understand that this is a very specific question and only wanted to confirm if there was a possibility of having this working by calling multiple ES instances.

I'll see if I can figure out if a cluster works out and I'll let you know.

[nsano-rururu]

The following pull request for ElastAlert seems to be for multiple instances.
feat: suport for multi es instances #3109
Statsd and multi imports #3095

[nsano-rururu]

Yelp/elastalert#2526 (comment)

simple solution is to install a lightweight load balancer (like nginx or haproxy) and redirect your requests to your elasticsearch nodes. Just be sure your index settings are correctly spreading replicas of your shards accross your nodes because if the LB query a elastic node but doesn't contain all the data you needs, you will not see everything if the datas are spreads between the nodes

Yelp/elastalert#1402 (comment)

No, you don't need to install it multiple places, nor do you need to declare all the node names. All you need is direct connectivity to a SINGLE node.

Yelp/elastalert#1364 (comment)

Please use haproxy in front of elasticsearch . This helps to accomplish ha mode for elastalert.

Yelp/elastalert#614 (comment)

I recommend haproxy. It's super simple to set up a reverse proxy for Elasticsearch to do load balancing.

[btvmunoz]

@nsano-rururu now that's definitely something to look at, I'll have to figure it out from the info you have provided me so far since these nodes are located in different places and currently don't have load balancing.

[nsano-rururu]

The same is true for praeco, as elastalert-server only considers connections for one instance. For elastalert alone, let's look at past issues. I remember seeing it specified by separating it with ",".

[nsano-rururu]

@btvmunoz

It seems unlikely that you will specify multiple es_hosts. This completes the research I can do.