流程:
elastalert讀取指定elasticsearch索引,根據規則匹配,如果匹配到就發郵件報警
安裝elastalert
python必須得2.7以上
$ cd /alidata1
$ git clone https://github.com/Yelp/elastalert.git
$ sudo python setup.py install
$ sudo pip install -r requirements.txt
設置elastalert索引
$ elastalert-create-index
New index name (Default elastalert_status)
Name of existing index to copy (Default None)
New index elastalert_status created
Done!
設置配置文件
cp /alidata1/elastalert/config.yaml.example /alidata1/elastalert/config.yaml
vim /alidata1/elastalert/config.yaml
rules_folder: example_rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 127.0.0.1
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
設置規則
[root@elk-node-1 elastalert]# cat example_rules/api3_err_rule.yaml | grep -v "#"| grep -v "^;"|grep -v "^$"
name: api3_error
type: frequency
index: api3_error* #監控這個索引
num_events: 3 #限定時間內,發生時間次數
timeframe: #下定時間 ,跟上邊的合起來就是一分鍾有三個錯誤日志寫進es的話,就發送郵件
minutes: 1
filter:
- regexp: #以正則方式匹配,".*"就是一有日志寫進es就算
message: ".*"
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: /alidata1/elastalert/smtp_auth_file.yaml #這個文件里寫發送郵件的賬戶密碼
email_reply_to: xxxxx@163.com
from_addr: xxxxx@163.com
alert:
- "email"
email:
- "zhai.junming@xxxxx.cn"
smtp_auth_file.yaml
user: "xxxxx@163.com"
password: "123456"
啟動elastalert
$ cd /alidata1
$ python -m elastalert.elastalert --config /alidata1/elastalert/config.yaml --verbose --rule /alidata1/elastalert/example_rules/api3_err_rule.yaml
INFO:elastalert:Queried rule api3_error from 2017-12-01 18:00 CST to 2017-12-01 18:02 CST: 4 / 4 hits
INFO:elastalert:Sent email to ['zhai.junming@xxx.cn']