ElastAlert Server Fails to Start

[MakoWish]

I have never used ElastAlert nor Docker before, so I am completely lost on how to troubleshoot this. I would appreciate any help!

I followed the documenation to install on my development Elastic server running Ubuntu (Elasticsearch, Kibana, and Logstash are on the same host). The Kibana plug-in seems to have installed properly, as I can see the ElastAlert icon on the navigation bar. Clicking on it gives me a 502 error saying it cannot connect to 127.0.0.1:3030. I tried to curl the localhost on port 3030, and there was no response. Since I have never used Docker before, it took a while to figure out how to even see what was happening when I try to start the container (--interactive). When trying to run with the --interactive flag, here is what I get:

me@devserver:/opt/elastalert# docker run -d -p 3030:3030 -p 3333:3333 \
>     -v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
>     -v `pwd`/config/elastalert-test.yaml:/opt/elastalert/config-test.yaml \
>     -v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
>     -v `pwd`/rules:/opt/elastalert/rules \
>     -v `pwd`/rule_templates:/opt/elastalert/rule_templates \
>     --net="host" \
>     --name elastalert bitsensor/elastalert:latest
Unable to find image 'bitsensor/elastalert:latest' locally
latest: Pulling from bitsensor/elastalert
e7c96db7181b: Pull complete
a9b145f64bbe: Pull complete
3bcb5e14be53: Pull complete
c7eba4f91c52: Pull complete
f404eba5b52b: Pull complete
ba2471f84d98: Pull complete
c94b7abcf496: Pull complete
80048254d1c2: Pull complete
b31aaa1e4bc4: Pull complete
4dda5b4cc83c: Pull complete
7bbb929b0d36: Pull complete
44fec82996d4: Pull complete
ff8f4a3d434f: Pull complete
553cf29ddc41: Pull complete
0f4503324961: Pull complete
Digest: sha256:c80f54a6743778908a08876e157bea8013a92e5dabfdf4fca0737d3e7d105b97
Status: Downloaded newer image for bitsensor/elastalert:latest
WARNING: Published ports are discarded when using host network mode
063bf0d3facaa3c7ad5357f7a11c8c238dee7a2c12980eb28e18f0a57a2db0dd

me@devserver:/opt/elastalert# docker start --interactive elastalert

> @bitsensor/[email protected] start /opt/elastalert-server
> sh ./scripts/start.sh

21:44:07.371Z  INFO elastalert-server: Config:  No config.dev.json file was found in /opt/elastalert-server/config/config.dev.json.
21:44:07.373Z  INFO elastalert-server: Config:  Proceeding to look for normal config file.
21:44:07.374Z  INFO elastalert-server: Config:  A config file was found in /opt/elastalert-server/config/config.json. Using that config.
21:44:07.385Z  INFO elastalert-server: Router:  Listening for GET request on /.
21:44:07.385Z  INFO elastalert-server: Router:  Listening for GET request on /status.
21:44:07.385Z  INFO elastalert-server: Router:  Listening for GET request on /status/control/:action.
21:44:07.385Z  INFO elastalert-server: Router:  Listening for GET request on /status/errors.
21:44:07.385Z  INFO elastalert-server: Router:  Listening for GET request on /rules.
21:44:07.388Z  INFO elastalert-server: Router:  Listening for GET request on /rules/:id.
21:44:07.388Z  INFO elastalert-server: Router:  Listening for POST request on /rules/:id.
21:44:07.388Z  INFO elastalert-server: Router:  Listening for DELETE request on /rules/:id.
21:44:07.389Z  INFO elastalert-server: Router:  Listening for GET request on /templates.
21:44:07.389Z  INFO elastalert-server: Router:  Listening for GET request on /templates/:id.
21:44:07.389Z  INFO elastalert-server: Router:  Listening for POST request on /templates/:id.
21:44:07.389Z  INFO elastalert-server: Router:  Listening for DELETE request on /templates/:id.
21:44:07.389Z  INFO elastalert-server: Router:  Listening for POST request on /test.
21:44:07.390Z  INFO elastalert-server: Router:  Listening for GET request on /config.
21:44:07.390Z  INFO elastalert-server: Router:  Listening for POST request on /config.
21:44:07.390Z  INFO elastalert-server: Router:  Listening for POST request on /download.
21:44:07.390Z  INFO elastalert-server: Router:  Listening for GET request on /metadata/:type.
21:44:07.391Z  INFO elastalert-server: Router:  Listening for GET request on /mapping/:index.
21:44:07.391Z  INFO elastalert-server: Router:  Listening for POST request on /search/:index.
21:44:07.401Z  INFO elastalert-server: ProcessController:  Starting ElastAlert
21:44:07.401Z  INFO elastalert-server: ProcessController:  Creating index
21:44:07.835Z  INFO elastalert-server:
    ProcessController:  Elastic Version:7
    Mapping used for string:{'type': 'keyword'}
    Index elastalert_status already exists. Skipping index creation.

21:44:07.835Z  INFO elastalert-server: ProcessController:  Index create exited with code 0
21:44:07.836Z  INFO elastalert-server: ProcessController:  Starting elastalert with arguments [none]
21:44:07.843Z  INFO elastalert-server: ProcessController:  Started Elastalert (PID: 36)
21:44:07.844Z  INFO elastalert-server: Server:  Server listening on port 3030
21:44:07.845Z  INFO elastalert-server: Server:  Websocket listening on port 3333
21:44:07.846Z  INFO elastalert-server: Server:  Server started
21:44:08.542Z ERROR elastalert-server:
    ProcessController:  Traceback (most recent call last):
      File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main

21:44:08.543Z ERROR elastalert-server:
    ProcessController:      "__main__", fname, loader, pkg_name)
      File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
        exec code in run_globals
      File "/opt/elastalert/elastalert/elastalert.py", line 1929, in <module>
        sys.exit(main(sys.argv[1:]))
      File "/opt/elastalert/elastalert/elastalert.py", line 1925, in main

21:44:08.543Z ERROR elastalert-server:
    ProcessController:      client.start()
      File "/opt/elastalert/elastalert/elastalert.py", line 1106, in start

21:44:08.543Z ERROR elastalert-server: ProcessController:
21:44:08.543Z ERROR elastalert-server:
    ProcessController:  self.run_all_rules()
      File "/opt/elastalert/elastalert/elastalert.py", line 1158, in run_all_rules

21:44:08.544Z ERROR elastalert-server: ProcessController:
21:44:08.544Z ERROR elastalert-server:
    ProcessController:  self.send_pending_alerts()
      File "/opt/elastalert/elastalert/elastalert.py", line 1534, in send_pending_alerts

21:44:08.545Z ERROR elastalert-server:
    ProcessController:      pending_alerts = self.find_recent_pending_alerts(self.alert_time_limit)
      File "/opt/elastalert/elastalert/elastalert.py", line 1526, in find_recent_pending_alerts

21:44:08.545Z ERROR elastalert-server:
    ProcessController:      size=1000)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped

21:44:08.545Z ERROR elastalert-server:
    ProcessController:      return func(*args, params=params, **kwargs)
    TypeError: search() got an unexpected keyword argument 'doc_type'

21:44:08.572Z ERROR elastalert-server: ProcessController:  ElastAlert exited with code 1
21:44:08.572Z  INFO elastalert-server: Server:  Stopping server
21:44:08.572Z  INFO elastalert-server: ProcessController:  ElastAlert is not running
21:44:08.573Z  INFO elastalert-server: Server:  Server stopped. Bye!
me@devserver:/opt/elastalert#

Since everything is running on the localhost, I am guessing the default installation should work out of the box, no? What am I missing here? Why am I getting all these errors?

Again, I would appreciate any help in getting this to work.

Thank you,
Mako

[dootyfree]

Any update to this one? Facing same

[SupamanPhong]

any update ?

[RubieV]

Looks like an elasticsearch version mismatch (7 seems to be used, with an older ElastAlert version) Op do 12 sep. 2019 om 06:24 schreef Supaman <[email protected]>:

…

any update ? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#120?email_source=notifications&email_token=AB7DEOVRPXWL6GJJVOKNDODQJG767A5CNFSM4IJ2SOT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6QTMVY#issuecomment-530658903>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AB7DEOTNJT32FJN3AJ5VMDDQJG767ANCNFSM4IJ2SOTQ> .