注:我的elk sentinl版本都是6.5.1
前期知識 es的查詢語法、es watcher使用方法。
https://www.cnblogs.com/pilihaotian/p/5830754.html
https://www.cnblogs.com/ghj1976/p/5293250.html
https://www.cnblogs.com/wihainan/p/7064943.html
釘釘告警設置
1、釘釘里先建一個群,然后群內添加一個機器人,最后登錄電腦版釘釘獲取釘釘地址
2、安裝sentinl
可以在線安裝 ./kibana-plugin install https://github.com/sirensolutions/sentinl/releases/download/tag-6.5.0-0/sentinl-v6.5.1.zip
也可以離線安裝 ./kibana-plugin install file:../../sentinl-v6.5.1.zip file 關鍵字不能漏掉
3、安裝好重啟kinaba,然后在打開頁面就可以看到sentinl了
4、配置sentinl
在sentinl添加一個watcher,我使用的高級配置
配置如下:
1 { 2 "actions": { 3 "Webhook_683bd385-86b3-46ba-8e1b-f89cccccbbec": { 4 "name": "Tomcat異常告警", 5 "throttle_period": "1m", 6 "webhook": { 7 "priority": "high", 8 "stateless": false, 9 "method": "POST", 10 "host": "oapi.dingtalk.com", 11 "port": "443", 12 "path": "/robot/send?access_token=*********", #寫你自己的釘釘機器人地址 13 "body": " {\"msgtype\": \"text\",\r\n \"text\": {\r\n \"content\":\" 異常發生,請處理~ \r\n 主機:{{payload.hits.hits.0._index}} \r\n IP:{{payload.hits.hits.0._source.type}} \r\n 告警內容:{{payload.hits.hits.0._source.message}} \r\n 最近一分鍾發生次數:{{payload.hits.total}}\"\r\n } \r\n }", 14 "params": { 15 "watcher": "{{watcher.title}}", 16 "payload_count": "{{payload.hits.total}}" 17 }, 18 "headers": { 19 "Content-Type": "application/json" 20 }, 21 "auth": "釘釘賬號:釘釘密碼", #這個驗證可以不要,刪掉也沒事 22 "message": "業務功能告警", 23 "use_https": true 24 } 25 } 26 }, 27 "input": { 28 "search": { 29 "request": { 30 "index": [ 31 "*-tomcat" 32 ], 33 "body": { 34 "query": { 35 "bool": { 36 "must": [ 37 { 38 "match": { 39 "level": "ERROR" 40 } 41 }, 42 { 43 "range": { 44 "@timestamp": { 45 "gte": "now-1m", 46 "lte": "now", 47 "format": "epoch_millis" 48 } 49 } 50 } 51 ], 52 "must_not": [] 53 } 54 } 55 } 56 } 57 } 58 }, 59 "condition": { 60 "script": { 61 "script": "payload.hits.total >=1" 62 } 63 }, 64 "trigger": { 65 "schedule": { 66 "later": "every 1 minutes" 67 } 68 }, 69 "disable": true, 70 "report": false, 71 "title": "釘釘告警", 72 "save_payload": false, 73 "spy": true, 74 "impersonate": false 75 }
其中actions是發生觸發報警時的動作用什么告警,我這里用的是釘釘,也可以郵件報警
釘釘報警內容里參數可以按照elk里參數獲取。
payload.hits.hits.0._index
payload.hits.hits 是查詢的到所有報警信息,0表示第一條報警信息
input就是去es里查詢數據,相關使用方法參數文章前的鏈接,下面只是簡單說明。
index是需要去哪個es索引里查詢數據,可以用正則 .文中配置是查詢最近一分鍾內level等級是ERROR的所有數據。
condition 是對查詢結果進行計算,payload.hits.total >=1是查詢結果條數如果大於等於1則報警。
trigger是查詢頻率 , "later": "every 1 minutes" 表示每隔一分鍾則查詢一次。
spy表示是否在關閉網頁后仍然監控運行.默認情況只有在打開網頁的情況下才能周期報警。
5、驗證
如果有數據,則顯示watcher executed,否則顯示no data。
顯示watcher executed,則釘釘會收到報警信息
如果顯示watcher executed但釘釘沒有收到信息,可以查看日志報什么錯。其中no transform found表示actions里body內語法錯誤,可以檢查下語法。
郵箱告警設置
前提是要設置服務器能發送郵件,可參考https://www.cnblogs.com/abkn/p/9720143.html
1、配置kibana.yml后重啟kibana
sentinl: settings: email: active: true user: ****@****.com password: ******* host: smtp.exmail.qq.com port: 465 ssl: true #根據實際情況添加 report: active: true
2、配置sentinl
{ "actions": { "email_html_alarm_9c8f6d7f-55c7-49f0-863d-ad3363726978": { "name": "api tomcat異常", "throttle_period": "1m", "email_html": { "from": "*****@tan66.com", "to": [ "*****@tan66.com", "*****@tan66.com" ], "stateless": false, "subject": "api tomcat異常", "priority": "high", "html": "<p>異常發生,請處理~ </p> <br> 主機:{{payload.hits.hits.0._index}} <br> IP:{{payload.hits.hits.0._source.type}} <br> 告警內容:{{payload.hits.hits.0._source.message}} <br> 最近一分鍾發生次數:{{payload.hits.total}}" } } }, "input": { "search": { "request": { "index": [ "kyb-api-tomcat" ], "body": { "query": { "bool": { "must": [ { "match": { "level": "ERROR" } }, { "range": { "@timestamp": { "gte": "now-1m", "lte": "now", "format": "epoch_millis" } } } ], "must_not": [] } } } } } }, "condition": { "script": { "script": "payload.hits.total >= 1" } }, "trigger": { "schedule": { "later": "every 30 seconds" } }, "disable": false, "report": false, "title": "api tomcat異常", "save_payload": false, "spy": false, "impersonate": false }
3、告警結果顯示
