環境部署
安裝其它的必需包
yum install -y zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel
1,下載、編譯和安裝 Python 2.7.13
wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tgz
tar zxf Python-2.7.13.tgz
cd Python-2.7.13
./configure
make && make install
2,為新版 Python 安裝 setuptools
wget https://bootstrap.pypa.io/ez_setup.py -O - | python
setuptools 正確安裝完成后,easy_install 命令就會被安裝在 /usr/local/bin 目錄下了。
為新版 Python 安裝 pip
easy_install pip
pip list --format=legacy
pip (9.0.1)
setuptools (33.1.1)
創建軟連接
mv /usr/bin/python /usr/bin/python2.6.6
ln -s /usr/local/bin/python2.7 /usr/bin/python
更新python導致yum源無法使用就解辦法:
vim /usr/bin/yum
#!/usr/bin/python
改為:
#!/usr/bin/python2.6
3,下載最新elastalert並安裝模塊
git clone https://github.com/Yelp/elastalert.git
yum -y install libffi-devel
cd elastalert
python setup.py install
PS:報錯
wget http://peak.telecommunity.com/dist/ez_setup.py
python ez_setup.py
pip install setuptools==34.3.3
pip install -r requirements.txt
pip install "elasticsearch==5.0.0" 選擇自己的版本
查看pip list
pip list --format=legacy
安裝完后,會在 /usr/local/bin/ 下生成4個elastalert命令
ls /usr/local/bin/elastalert*
/usr/local/bin/elastalert
/usr/local/bin/elastalert-rule-from-kibana
/usr/local/bin/elastalert-create-index
/usr/local/bin/elastalert-test-rule
###創建索引
elastalert-create-index
New index name (Default elastalert_status)
Name of existing index to copy (Default None)
New index elastalert_status created
Done!
################下邊是測試的配置############################
#####修改配置文件
cd /opt/soft/elastalert
cp config.yaml.example config.yaml
vim config.yaml
rules_folder: example_rules #這是包含規則yaml文件的文件夾,(.yaml都作為規則加載)
run_every:
minutes: 1 #elastalert查詢es的頻率
buffer_time:
minutes: 15 #elastalert緩存時間段
es_host: 172.26.11.77 #es主機
es_port: 9200 #es端口
writeback_index: elastalert_status #elastalert設置的索引
alert_time_limit:
days: 1 #報警失敗,最晚1天之內會再次報警,直到這個時間段過去
###配置郵箱用戶名密碼
vim /home/elastalert/elastalert/example_rules/smtp_auth_file.yaml
user: zhaishaominceshi@cm-inv.com
password: 1zxpfqBF-ibTw#gG ##這里的密碼不是web頁面登錄的密碼。而是機器碼
cd example_rules
vim example_frequency.yaml
es_host: elk01
es_host: elk02
es_host: elk03
es_port: 9200
name: Example frequency rule
type: frequency
index: eas-172.25.11.112-server1-apusic.log.0-*
num_events: 1
timeframe:
minutes: 1 #出現的時間段
filter: #規則
- query:
query_string:
query: "field: value"
filter:
- query_string:
query: "message: 測試一下下"
######配置報警信息##########
alert_text: "jira服務出現問題"
#alert_text_type: alert_text_only
include: ["type", "ua", "log_time"] ###允許字段
#alert_text_type: exclude_fields
exclude: ["@timestamp", "_id", "_index", "_type"] ###排除字段
#attach_related: true
#top_count_keys: ["client_ip", "status"]
#############配置友好別名######
alert_text_type: alert_text_only (exclude_fields ##這個參數會顯示默認報警注釋)
alert_text: |
jira服務出現問題
主機: {}
請求URL: {}
HTTP狀態碼: {}
遠程IP地址: {}
日志時間戳: {}
總查詢次數: {}
總異常次數: {}
原始日志信息: {}
alert_text_args:
- client_ip
- ua
- status
- host
- log_time
- num_hits
- num_matches
- source
########配置郵件報警###############
smtp_host: cm-inv.com #SMTP協議的郵件服務器相關配置
smtp_port: 25
#郵箱用戶認證
smtp_auth_file: /home/elastalert/elastalert/example_rules/smtp_auth_file.yaml
#回復給哪個郵箱
email_reply_to: zhaishaominceshi@qq.com
#從哪個郵箱發送
from_addr:
zhaishaominceshi@qq.com
alert:
- "email"
#接收報警的郵箱
- "11780911006@qq.com"
測試:
cd /opt/soft/elastalert/
python -m elastalert.elastalert --verbose --rule example_frequency.yaml
curl -X POST "http://172.26.11.79:9200/eas-172.25.11.112-server1-apusic.log.0-2017-07-25/test" -d '{ "@timestamp": "2017-07-25T11:43:30.000Z", "field": "value" }'
#############以下是服務的配置#################################
mkdir /etc/elastalert
cd /etc/elastalert
復制配置文件
cp /opt/soft/elastalert/config.yaml ./
mkdir rules
復制規則文件
cp /opt/soft/elastalert/example_rules/example_frequency.yaml rules/
####修改配置文件
修改 config.yaml 中
vim config.yaml
rules_folder: /etc/elastalert/rules
##################配置微信報警#################################
cd /opt/soft/elastalert
wget -P elastalert_modules/ https://raw.githubusercontent.com/anjia0532/elastalert-wechat-plugin/master/wechat_qiye_alert.py
touch elastalert_modules/__init__.py
cd example_rules/
vim example_frequency.yaml
####配置微信報警######
alert:
- "elastalert_modules.wechat_qiye_alert.WeChatAlerter"
#設置微信企業號的appid
corp_id: wxc27a71b135ab
#設置微信企業號的Secret
secret: MQp6r1DYJ0wPCF-xRPYVvDWBJddgAnFBzHwJyVM
#后台登陸后【應用中心】->【選擇應用】->【應用id】
##設置微信企業號應用id
agent_id: 100
##部門id
party_id: 1
##用戶微信號
user_id: 10515480
## 標簽id
tag_id: admin
######測試#######
python -m elastalert.elastalert
curl -X POST 'http://172.26.11.77:9200/eas-172.25.11.112-server1-apusic.log.0-'$(date +%Y.%m.%d)'/test' -d '{"@timestamp": "'$(date +%Y-%m-%d'T'%T%z)'","field": "value"}'
######報錯#######
ERROR:root:Error while running alert WeChatAlerter: send message has error: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
pip uninstall -y certifi && sudo pip install certifi==2015.04.28
pip install certifi==2015.04.28
啟動服務
python -m elastalert.elastalert &
python -m elastalert.elastalert --config ./config.yaml
python elastalert/elastalert.py
安裝完成,可以借鑒的文檔
ElastAlert 基於Elasticsearch的監控告警 | 家的博客
ELK中利用elastalert監控日志中的異常,發送郵件警告 - pujiaolin的專欄 - CSDN博客 http://blog.csdn.net/pujiaolin/article/details/52252950?locationNum=3
Elasticsearch+ElastAlert微信報警 - 簡書