This is a brief post on how to configure the Elasticsearch Watcher alerts to be sent to Microsoft teams. We will use webhook action in Elasticsearch and corresponding incoming webook in Microsoft Teams. Documentation on these are rather sparse so I think it will be useful to detail the steps.
WHY
Elasticsearch Watcher is a powerful and highly configurable alerting system. It can send notifications to many platforms. Most of the people will be happy for the alerts to arrive in inbox. But what about say something different like say Microsoft Teams? It is one of the better communications platform out there. The instructions for integrating elasticsearch watcher alerts with Microsoft teams are on a bit of cryptic side. Hence this post.
HOW
Configuring Microsoft Teams
First you have to go to Microsoft Teams and create a team.
And then add a channel to it. Now I am using the App but you can also login into the Microsoft Teams. Make sure that you have permissions to create a team.
In the App click on Teams icon and then at the bottom of the screen click on “Join or create a team”.
NOTE: The screenshots might not remain accurate as new versions of Microsoft Teams are rolled out.
Icon to click to start creating a Microsoft team.
Welcome screen for creating a Microsoft team.
I chose from the scratch for this demo.
Give your team a name.
Choose the type of team.
The team is created !!
Now you have to create a Channel.
Once the channel is created you have to configure an incoming webhook. To do that on the bottom left of the App click on the ‘Apps’ icon. In the search bar search for ‘incoming webhook’. Click on card shown.
Then you have to search for the ‘Channel’ rather than the Team you have created.
Give your connector a name. Then once that is done click on ‘Setup a connector’.
Once you are done it will generate a url which you have to copy. This url is important as you will soon see.
Configuring Elasticsearch
On the Elasticsearch Watcher section go and create a Watcher. I will be creating an advanced watch. I will assume that you are well aware of the various actions which can be configured in Watcher. If not give me a shout and I might consider writing a blog post on that.
Remember the url we got?
Suppose the url is :
`https://starkindustries.webhook.office.com/webhookb2/9589h9d-85396hfascgfydhjhhjdhkkljiopfg8=-980783/IncomingWebhook/g789035ureg780/97234`
You will get three things from this:
https which will go as value to scheme field in the elasticsearch action.
starkindustries.webhook.office.com which will go as value to host
and
/webhookb2/9589h9d-85396hfascgfydhjhhjdhkkljiopfg8=-980783/IncomingWebhook/g789035ureg780/97234 which will go as value to path
Here is the action for sending alert to Microsoft teams. (Note that this is just a snippet of the watcher. You will need to write the other parts)
"actions": {
"msteams_webhook": {
"throttle_period_in_millis": 300000,
"webhook": {
"scheme": "https",
"host": "starkindustries.webhook.office.com",
"port": 443,
"method": "post",
"path": "/webhookb2/9589h9d-85396hfascgfydhjhhjdhkkljiopfg8=-980783/IncomingWebhook/g789035ureg780/97234",
"params": {},
"headers": {},
"body": """{
"type": "TextBlock",
"text": "This is a test. And you can use incoming data from watcher too like this: {{ctx.payload.hits.total}}"
}"""
}
}
}
NOTES:
Check connectivity first !!
It is always a nice idea to check if the connectivity is there between your elasticsearch instance and Microsoft teams. You can use the url which you have got to test.
Go to Kibana -> Stack Management -> Rules and Connectors -> Connectors
Then create a connector and use Microsoft Teams. Then give it a name and then put in the whole url you have got. Then save and test. Then in the test window type in a message and run the test. The result should be a success. And you will also see the message in the Microsoft teams app.
Mind that body !!
Another area where most people will trip is the message body.
Microsoft teams expects the incoming message in a certain format and if that is not matching you will get the infamous Bad payload received by generic incoming webhook.
The fields and the format in the body section of this watcher action are as per the standards expected from Microsoft Teams and not Elastic.
You can get more information on the format expectation from Microsoft Teams here.
Nostalgia: Once emails were a big thing. And now automated systems sending alerts on chat channels. Progess is good.