Getting Started

This getting started guide walks you through installing Watcher and creating your first watches, and introduces the building blocks you’ll use to create custom watches. You must run the version of Watcher that matches the version of Elasticsearch you are running.

To install and run Watcher:

  1. Run bin/plugin install from ES_HOME to install the License plugin:

    bin/plugin install license

    You need to install the License and Watcher plugins on each node in your cluster.

  2. Run bin/plugin install to install the Watcher plugin.

    bin/plugin install watcher

    If you are using a DEB/RPM distribution of Elasticsearch, run the installation with superuser permissions. To perform an offline installation, download the Watcher binaries.

  3. Confirm that you want to grant Watcher additional permissions. Watcher needs these permissions to set the threat context loader during install so it can send email notifications.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @     WARNING: plugin requires additional permissions     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    * java.lang.RuntimePermission getClassLoader
    * java.lang.RuntimePermission setContextClassLoader
    * java.lang.RuntimePermission setFactory
    See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
    for descriptions of what these permissions allow and the associated risks.
    
    Continue with installation? [y/N]y

    Specify the --batch option when running the install command to automatically grant these permissions and bypass this install prompt.

  4. If you have disabled automatic index creation in Elasticsearch, configure action.auto_create_index in elasticsearch.yml to allow Watcher to create the .watches, .triggered_watches, and .watcher-history* indices:

    action.auto_create_index: .watches,.triggered_watches,.watcher-history*

    If you have Shield installed, you must also allow Shield to create the .security index.

  5. Start Elasticsearch.

    bin/elasticsearch
  6. To verify that Watcher is set up, call the Watcher _stats API:

    curl -XGET 'http://localhost:9200/_watcher/stats?pretty'

    You haven’t set up any watches yet, so the watch_count is zero and the execution_thread_pool queue is empty:

    {
      "watcher_state": "started",
      "watch_count": 0,
      "execution_thread_pool": {
        "queue_size": 0,
        "max_size": 0
      }
    }

Ready to start building watches? Choose one of the following scenarios: