ELK日志報警插件ElastAlert
它通過將Elasticsearch與兩種類型的組件(規則類型和警報)結合使用。定期查詢Elasticsearch,並將數據傳遞到規則類型,該規則類型確定何時找到匹配項。發生匹配時,將為該警報提供一個或多個警報,這些警報將根據匹配采取行動。
這是由一組規則配置的,每個規則定義一個查詢,一個規則類型和一組警報。
ElastAlert包含幾種具有常見監視范例的規則類型:
匹配Y時間內至少有X個事件的地方”(frequency類型)
當事件發生率增加或減少時匹配”(spike類型
在Y時間內少於X個事件時進行匹配”(flatline類型
當某個字段與黑名單/白名單匹配時匹配”(blacklist並whitelist輸入)
匹配任何與給定過濾器匹配的事件”(any類型)
當某個字段在一段時間內具有兩個不同的值時進行匹配”(change類型)
當字段中出現從未見過的術語時進行匹配”(new_term類型)
當字段的唯一值數量大於或小於閾值(cardinality類型)時匹配
告警支持郵件、釘釘、微信、自定義等多種告警方式;能靈活從es中查詢出來的內容
python3.6安裝
tar xf Python-3.6.8.tar.xz
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release
cd Python-3.6.8/
./configure && make && make install
mkdir -p /app/elastalert/rule
安裝elastalert
cd /app/elastalert && git clone https://github.com/Yelp/elastalert.git
cd /app/elastalert/elastalert && pip3 install -r requirements.txt
pip3 uninstall elasticsearch
pip3 install "elasticsearch>=5.0.0"
#這里注意elasticsearch的版本,elasticsearch6的版本可能用不了pip安裝的最新的elasticsearch包,卸載最新的執行pip3 install "elasticsearch>=5.0.0"即可,或者安裝之前修改下requirements.txt里的elasticsearch版本
python3 setup.py install
配置elastalert
cp /app/elastalert/elastalert/config.yaml.example /app/elastalert/elastalert/config.yaml
按需修改即可
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: /app/elastalert/rule
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 1
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: 某一個es節點的IP
# The Elasticsearch port
es_port: 9200
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to Elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 1
# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
#logging:
# version: 1
# incremental: false
# disable_existing_loggers: false
# formatters:
# logline:
# format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
#
# handlers:
# console:
# class: logging.StreamHandler
# formatter: logline
# level: DEBUG
# stream: ext://sys.stderr
#
# file:
# class : logging.FileHandler
# formatter: logline
# level: DEBUG
# filename: elastalert.log
#
# loggers:
# elastalert:
# level: WARN
# handlers: []
# propagate: true
#
# elasticsearch:
# level: WARN
# handlers: []
# propagate: true
#
# elasticsearch.trace:
# level: WARN
# handlers: []
# propagate: true
#
# '': # root logger
# level: WARN
# handlers:
# - console
# - file
# propagate: false
#字段解釋
rules_folder: 是ElastAlert從中加載規則配置文件的位置。它將嘗試加載文件夾中的每個.yaml文件。沒有任何有效規則,ElastAlert將無法啟動。隨着此文件夾中文件的更改,ElastAlert還將加載新規則,停止運行缺少的規則並重新啟動修改后的規則
run_every: 是ElastAlert多久查詢一次Elasticsearch的時間
buffer_time: 用來設置請求里時間字段的范圍,默認是45分鍾
Es_host: elasticsearch的host地址
Es_port: elasticsearch對應的端口號
writeback_index: 是ElastAlert將在其中存儲數據的索引的名稱
writeback_alias: 別名
alert_time_limit: 是失敗警報的重試窗口
配置完成后,執行下elastalert-create-index --config config.yaml
釘釘報警插件安裝
wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip
unzip elastalert-dingtalk-plugin-master.zip
cd elastalert-dingtalk-plugin-master
pip3 install pyOpenSSL==16.2.0
pip3 install setuptools==46.1.3
cp -r elastalert_modules /app/elastalert/
規則范例
#可以在example_rules /中找到不同類型的規則的示例。
example_spike.yaml
是“峰值”規則類型的示例,它使您可以警告某個時間段內的平均事件發生率增加給定因子的時間。當在過去2個小時內發生與過濾器匹配的事件比前2個小時的事件數多3倍時,此示例將發送電子郵件警報。
example_frequency.yaml
是“頻率”規則類型的示例,它將在一個時間段內發生給定數量的事件時發出警報。此示例將在4小時內出現50個與給定過濾器匹配的文檔時發送電子郵件。
example_change.yaml
是“更改”規則類型的示例,當兩個文檔中的某個字段發生更改時,它將發出警報。在此示例中,當兩個文檔具有相同的“用戶名”字段但“ country_name”字段的值不同時,會在24小時之內發送警報電子郵件。
example_new_term.yaml
是“新術語”規則類型的示例,當一個或多個新值出現在一個或多個字段中時,它將發出警報。在此示例中,在示例登錄日志中遇到新值(“用戶名”,“計算機”)時,將發送一封電子郵件。
配置告警規則
檢查nginx 5XX狀態,一分鍾內大於5次便發送釘釘告警
cat /app/elastalert/rule/nginx.yaml
name: the count of servnginx log that reponse status code is 5xx is greater than 5 in the period 1 minute
index: nginx-*
type: frequency
num_events: 5
timeframe: {minutes: 1}
filter:
- range:
status:
from: 500
to: 599
alert_text: "
域 名: {}\n
調用方式: {}\n
請求鏈接: {}\n
狀 態 碼: {}\n
后端服務器: {}\n
數 量: {}
"
alert_text_type: alert_text_only
alert_text_args:
- host
- method
- request
- status
- upstream
- num_hits
alert:
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"
dingtalk_webhook: "XXXXXX"
dingtalk_msgtype: "text"
#字段解釋
name: 是此規則的唯一名稱。如果兩個規則共享相同的名稱,則ElastAlert將不會啟動
type: 每個規則具有不同的類型,可能采用不同的參數。該frequency類型的意思是“當num_events出現多個警報時發出警報timeframe
index: 要查詢的索引的名稱
num_events: 此參數特定於frequency類型,並且是觸發警報時的閾值。
timeframe: 是num_events必須發生的時間段。
filter: 是用於過濾結果的Elasticsearch過濾器列表
alert_text: 自定義需要報警發送的內容
alert_text_args: 對應alert_text的內容
#詳細參考
https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html#writingfilters
alert: 是在每次規則中運行的警報的列表
#詳細參考
https://elastalert.readthedocs.io/en/latest/ruletypes.html#alerts
測試規則
elastalert-test-rule example_rules/my_rule.yaml
調試運行
/app/elastalert/bin/python3 -m elastalert.elastalert --verbose --rule /app/elastalert/rule/nginx.yaml
生產運行
官方建議用supervise啟動,測試的時候老是讀不到配置,就放棄了
nohup /app/elastalert/bin/python3 -m elastalert.elastalert --config /app/elastalert/elastalert/config.yaml --verbose >>/app/elastalert/nohup.out 2>&1 &