一、前言
ElastAlert 是一個簡單的框架,用於從 Elasticsearch 中的數據中發出異常,或其他感興趣模式的警報。我們可以在地址https://elastalert.readthedocs.io/en/latest/elastalert.html找到它的使用說明。在今天的教程中,我將一步一步地介紹如何搭配環境,並從 Elasticsearch 發送通知給釘釘
二、架構圖
三、安裝 ElastAlert
1、安裝python3.8
自行百度搜索相關python安裝,此處略
2、下載 elastalert 源碼:
yum -y install git git clone https://github.com/Yelp/elastalert.git 安裝模塊 pip3 install "setuptools>=11.3" python3 setup.py install pip3 install -U PyYAML 根據 Elasticsearch 的版本,你可能需要手動安裝正確版本的 elasticsearch-py pip3 install "elasticsearch>=5.0.0" 這樣我們的安裝工作就完成了。
四、安裝elastalert-dingtalk-plugin
下載 cd /usr/lcal/elastalert wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip unzip master.zip cd elastalert-dingtalk-plugin/
需要修改兩個文件config.yaml和rules/api_error.yaml
cat config.yaml
# This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: rules # How often ElastAlert will query Elasticsearch # The unit can be anything from weeks to seconds # 查詢es的頻率 run_every: minutes: 5 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time # buffer_time: minutes: 5 # The Elasticsearch hostname for metadata writeback # Note that every rule can have its own Elasticsearch host es_host: 10.52.38.168 # The Elasticsearch port es_port: 9200 # The AWS region to use. Set this when using AWS-managed elasticsearch #aws_region: us-east-1 # The AWS profile to use. Use this if you are using an aws-cli profile. # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html # for details #profile: test # Optional URL prefix for Elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to Elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for Elasticsearch es_username: "elastic" es_password: "haZZS*XGz" # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 2
cat rules/api_error.yaml
name: prod存在"ERROR","Exception"關鍵字日志,請登陸kibana及時查看,地址:http://152.32.142.164:5601/ type: frequency index: erp-cod-prod_zooqeer-service-log* #在一個時間范圍內出現這么多與查詢匹配的文檔時發出警報 num_events: 1 #5分鍾發一次 timeframe: minutes: 5 filter: - query: query_string: query: "ERROR" query_string: query: "Exception" #只需要的字段 https://elastalert.readthedocs.io/en/latest/ruletypes.html#include include: ["method", "url_path", "url_args", "status", "request_time"] alert: - "elastalert_modules.dingtalk_alert.DingTalkAlerter" #dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=11dd40a2482d889c45a2c16ee3cefea5c1fa7368f8841fdf98bf95d571c98dc9" dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=3c7a159c14cf39f0b8e9bd26806d3a96831e4b843c2d5123ccc5eeb232520f11" dingtalk_msgtype: "text" #釘釘智能機器人的關鍵字 content: elk
設置完,就可以運行了
nohup python3 -m elastalert.elastalert --verbose --rule rules/api_error.yaml &
