Canary supports outgoing Webhooks from your Console to an endpoint of your choice. This event-driven approach ensures that alerts are sent to you as they happen!
In this guide, we'll send data to your Elastic Stack instance, using a Thinkst Canary Generic Webhook.
1. Create Agent Policy in Elastic Fleet.
- Go to Assets.
- Click Fleet > Policies.
- Click Create Agent Policy.
- Name it something like FleetOps.
- Ensure "Collect system logs and metrics" is enabled.
- Click Create agent policy.
2. Set Up the HTTP Integration.
- Inside FleetOps, click Add integration.
- Search for HTTP.
- Choose Custom HTTP Endpoint Logs.
- Name your integration (e.g. http_endpoint-2).
- Under Change defaults, set the following;
- Listen address: 127.0.0.1.
- Listen port: 8080 (or your preferred port).
- Save and continue, then Save integration.
3. Enrol the Elastic Agent.
You can install the Elastic Agent on any supported operating system, but the example below covers installation and enrollment on a Linux-based EC2 instance.
- In Kibana, go to Fleet > Agents. and click Add agent.
2. Copy the curl and install commands shown for Linux x86_64.
3. SSH into your EC2 instance and run:
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.0-linux-x86_64.tar.gz tar xzvf elastic-agent-9.0.0-linux-x86_64.tar.gz cd elastic-agent-9.0.0-linux-x86_64 sudo ./elastic-agent install --url=<fleet-url> --enrollment-token=<your-token>
4. After installation, your agent should appear as healthy in the Elastic UI under the FleetOps policy.
4. Enable SSL.
Follow the next steps to enable SSL and to terminate the TLS connection on a reverse proxy.
4.1 Obtain a certificate.
You will need a valid domain name. Obtain a certificate for your domain using your preferred method (Let’s Encrypt, a commercial CA, or your organisation’s internal PKI).
4.2 Configure a reverse proxy or web server for TLS termination.
Example of Nginx configuration (replace alerts.example.com and paths as required):
server {
listen 80;
server_name alerts.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name alerts.example.com;
ssl_certificate /etc/letsencrypt/live/alerts.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alerts.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
location /canary {
proxy_pass http://192.168.10.50:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Optional: shared-secret header for extra authentication
proxy_set_header X-Canary-Shared-Secret "<your-secret>";
}
}5. Configure Elastic SIEM Webhook Secret.
- Go to Fleet → Agent Policies.
- Open the policy that your Elastic Agent is using.
- Under your integration, scroll to the Secret Header and Secret Value fields.
-
Set:
- Secret Header to the header name used in your reverse proxy (for example: X-Canary-Shared-Secret).
- Secret Value to the same value you defined in Nginx.
Elastic will now include this header with every webhook request. Your reverse proxy will check that the header matches before forwarding traffic to the Elastic Agent.
In your Canary Console, add a new Generic Webhook that points to your HTTPS endpoint.
-
Webhook URL.
Enter your HTTPS URL.
Enable custom request headers.
-
Header Name.
Add the same header name used in Elastic and your reverse proxy (for example: X-Canary-Shared-Secret).
-
Header Value.
Enter the same secret value you configured in Elastic and Nginx.
-
Save.
Click Save to finalise the webhook.
You're done! ;)