Connecting ElastAlert2 Alerts to Redmine and Slack

Introduction

This Qiita Entry explains how to integrate ElastAlert 2 with Redmine and Slack to automatically send alerts when specific log conditions are detected in Elasticsearch.

Each platform serves a different purpose in the alerting workflow:

ElastAlert 2:

An open-source alerting framework for Elasticsearch. It continuously monitors log data and triggers alerts when conditions such as spikes, flatlines, or keyword matches occur.

Redmine:

A web-based project management and issue-tracking tool. By connecting ElastAlert to Redmine, alerts can be automatically registered as tickets, allowing teams to manage and track incidents efficiently.

Slack:

A team communication platform. Integrating Slack with ElastAlert allows immediate notification delivery to specific channels, helping monitoring teams respond quickly to system anomalies.

Required Environment

Software requirements and versions

Component	Version
VM Nodes	1
Elasticsearch	8.13.4
ElastAlert2	2.11.1
Python	3.12.3
Redmine	5.1.2
Slack	Workspace Integration Enabled (via Webhook URL)

Library Versions

Library	Version
PyYAML	6.0.2
elasticsearch-py	8.18.1

ESXi Node Configuration

Resource	Specification
VCPU	4 cores
Memory	8 GB
Storage	40 GB

1.0 ElastAlert Setup

In this section, we will set up ElastAlert2 to connect with Slack and Redmine using their respective API keys and Webhook URLs.
These integrations allow ElastAlert to automatically send alerts to both Slack channels and Redmine issue trackers whenever a rule is triggered.

1.1 Getting Slack Webhook

To allow ElastAlert to send alerts to your Slack workspace, you must create an Incoming Webhook:

1. Visit the official Slack API page: https://api.slack.com/apps
2. Click “Create New App”
3. Select “From scratch”
4. Choose your Slack workspace
5. In the left sidebar, go to Incoming Webhooks
6. Enable Activate Incoming Webhooks
7. Click “Add New Webhook to Workspace” and select a target channel (e.g., #alerts)
8. Copy the generated Webhook URL — you will use it inside your ElastAlert rule YAML file.

Example Slack Webhook URL (private parts hidden):

https://hooks.slack.com/services/T********/B**********/f**********************

1.2 Getting Redmine API Key

To integrate ElastAlert with Redmine, we will use the Redmine REST API key, which can be found in your Redmine user account settings.

1. Log in to your Redmine dashboard
2. Go to the “My account” section
3. Click “Show” under API access key
4. Copy the key — you will use it in your ElastAlert YAML configuration.

Below is a reference image:

Example Redmine API key (private parts hidden):

540bdfb7ccd14b9aeaeeed1ef767b82b3**********

2.0 ElastAlert YAML File Configuration

In this section, we will configure ElastAlert 2 YAML rule files so that alerts are sent to Slack and Redmine. The top part of the YAML defines what to detect (index, type, filter, threshold). The alert section defines where to send the alert. For Slack, we use the built-in slack alerter and provide the webhook URL. For Redmine, we use the HTTP POST alerter (post2) to call Redmine’s REST API and create an issue automatically.

2.1 Elastalert YAML file Rule

index: syslog-*
name: Dynamic Threshold for Warning Logs
type: frequency
num_events: 727
timeframe:
  minutes: 60
filter:
  - term:
      log.syslog.severity.name.keyword: Warning
  - term:
      host.hostname.keyword: lily.a910.tak-cslab.org

The rules for the YAML file will be as above, using the log.syslog.severity filter to filter warning logs. The threshold is set based on past behaviours and the rule will be using the number of warning syslogs in an hour.

2.2 Slack Configuration

Below is the Elastalert YAML file alerting configuration with slack

alert:
  - slack
slack_webhook_url: "https://hooks.slack.com/services/T********/B**********/f**********************"
slack_username_override: ElastAlert
slack_title: "⚠️ Dynamic Threshold Exceeded"
slack_text: "*{0}* exceeded the dynamic log threshold in the last hour."
alert_text_args:
  - host.hostname

Explanation:

• index: search syslog indices
• type: frequency → alert when the number of matching logs reaches num_events inside timeframe
• filter: only Warning logs AND only from lily.a910.tak-cslab.org
• alert: - slack → use Slack alerter
• slack_webhook_url: Slack Incoming Webhook created in Slack
• slack_title / slack_text: customize the message
• alert_text_args: pass host name into the message

2.3 Redmine Configuration

Below is the Elastalert YAML file alerting configuration with Redmine

alert:
  - post2
http_post2_url: "http://monitoring-master-ml:32300/issues.json"
http_post2_headers:
  X-Redmine-API-Key: "540bdfb7ccd14b9aeaeeed1ef767b82b3**********"
  Content-Type: "application/json"
jinja_root_name: _data
http_post2_payload:
  issue:
    project_id: 2
    tracker_id: 28
    priority_id: 2
    status_id: 1
    subject: "Alertmanager High Error Log Rate"
    description: |
      Generated by ElastAlert.

      Matched message: {{ _data.get('message','') }}

      ---
      このアラートは自動的にElastAlertにより生成されました。
      Please confirm: 正常なアラートですか？誤検知ですか？
      （Real alert? or False alert? チェックしてください）

Explanation:

• alert: - post2 → send HTTP POST to Redmine
• http_post2_url → Redmine issue creation API
• http_post2_headers → include API key and JSON header
• http_post2_payload → actual issue body in Redmine (project, tracker, priority, status)
• jinja_root_name + {{ _data.get(...) }} → insert matched log message into the ticket

3.0 Elastalert Execution

After saving the Updated YAML files, you can execute elastalert to not shutdown after closing the terminal with the following command;

nohup elastalert --config config.yaml --verbose --es_debug > elastalert.log 2>&1 &

Example of Execution with confirmation

c0a22173@elast:~/elastalert2$ nohup elastalert --config config.yaml --verbose --es_debug > elastalert.log 2>&1 &
[1] 1599
c0a22173@elast:~/elastalert2$ tail -f elastalert.log
nohup: ignoring input
INFO:elastalert:7 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999961 seconds
c0a22173@elast:~/elastalert2$ ps aux | grep elastalert
c0a22173   1599  7.2  0.8 228316  66264 pts/0    Sl   00:35   0:00 /home/c0a22173/elast2/bin/python3 /home/c0a22173/elast2/bin/elastalert --config config.yaml --verbose --es_debug
c0a22173   1605  0.0  0.0   6544   2304 pts/0    S+   00:35   0:00 grep --color=auto elastalert
c0a22173@elast:~/elastalert2$

3.1 Alert Confirmation

Now, we can check if the alert is sent to redmine and slack

3.1.1 Slack Alert

The alert sent to Slack will be shown like this.

3.1.2 Redmine Alert

The alert sent to Redmine will be shown like this.

4.0 Reference

Topic	Link	Description
ElastAlert 2	https://github.com/jertel/elastalert2	Official GitHub repository for ElastAlert 2 — includes setup instructions, rule examples, and alert configurations.
ElastAlert 2 Documentation	https://elastalert2.readthedocs.io/	Full documentation with installation guide, configuration details, and alert type references.
ElastAlert 2 Rule Examples	https://github.com/jertel/elastalert2/tree/master/examples	Example rule YAML files demonstrating common use cases such as frequency, spike, and flatline alerts.
Redmine API	https://www.redmine.org/projects/redmine/wiki/Rest_api	Official Redmine REST API documentation — explains how to create, update, and query issues programmatically.
Redmine Python Integration	https://python-redmine.com/	Python library for interacting with the Redmine REST API; useful for automation and alert integration.
Slack Webhook	https://api.slack.com/messaging/webhooks	Official Slack guide on creating and using Incoming Webhooks for automated message posting.
Slack API Overview	https://api.slack.com/	Main Slack API documentation — includes guides for apps, tokens, and authentication.