1.官方http://elastalert.readthedocs.io/en/latest/
2.報警規則示例
http://elastalert.readthedocs.io/en/latest/elastalert.html#rule-types
admin_asdsa.yaml: |
name: admin_asdsa
type: frequency
owner: admin
description: "2018-06-13 17:54:55"
index: logstash-*
num_events: 1
is_enabled: false
timeframe:
minutes: 60
filter:
- query:
query_string:
query: 'kubernetes.labels.name: test'
- query:
query_string:
query: 'kubernetes.namespace_name: admin'
- query:
wildcard:
log: '*Listening*'
regex: '*Listening*'
alert:
- email
smtp_host: smtp.exmail.qq.com
smtp_port: 465
smtp_ssl: true
from_addr: tester@tenxcloud.com
smtp_auth_file: /opt/config/email_config.yaml
email:
- gaoyawei@xxxx.com
alert_subject: '[xxx]告警提醒'
alert_text_type: alert_text_only
alert_text: "親愛的++用戶:\n\n 根據您在【管理與日志】- [告警設置] 設置的 {} 策略,您的服務 {} 日志告警已觸發,日志正則
{} 已出現 {} 次! \n\n\n以上問題請請盡快處理,謝謝!"
alert_text_args:
- name
- kubernetes.labels.name
- regex
- num_hits
3.配置文件
http://elastalert.readthedocs.io/en/latest/elastalert.html#configuration
elastalert_config: |-
---
rules_folder: /opt/rules
scan_subdirectories: false
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: elasticsearch-logging
es_port: 9200
writeback_index: elastalert_status
use_ssl: false
alert_time_limit:
days: 2
email_config: |-
---
user: tester@xxx.com
password: xxxx
4.具體規則類型,以及告警的方式查看官方文檔