1.ElastAlert 工作原理
周期性的查询Elastsearch而且将数据传递给规则类型,规则类型定义了需要查询哪些数据。php
当一个规则匹配触发,就会给到一个或者多个的告警,这些告警具体会根据规则的配置来选择告警途径,就是告警行为,好比邮件、钉钉、tg、slack、企业微信等html
ElastAlert 手册
2.部署ElastAlert
一、环境介绍
ELK版本:7.3.0
elastalert版本:3.0.0-beta.1
注意:github上面要求安装环境python版本为3.6,但是用docker安装不受此限制,可直接安装
二、安装步骤
1. 从git上下载项目并进入目录:
git clone https://github.com/bitsensor/elastalert.git; cd elastalert;2.编写docker-compse.yaml
version: '3'
services:
elastalert:
restart: always
ports:
- "3030:3030"
volumes:
- /home/unionstrong/elastalert/elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml
- /home/unionstrong/elastalert/elastalert/config/config.json:/opt/elastalert-server/config/config.json
- /home/unionstrong/elastalert/elastalert/rules:/opt/elastalert/rules
- /home/unionstrong/elastalert/elastalert/rule_templates:/opt/elastalert/rule_templates
- /usr/share/zoneinfo:/usr/share/zoneinfo
image: bitsensor/elastalert:3.0.0-beta.1
注意:最后一行的elastalert版本不要写latest,不然会报错。latest是2.4版本,es查询出来的结构不一致会报错,如果你用latest安装失败后注意要去ES上删除创建的关于elastalert的索引,不然也会报错3.配置ElastAlert
1.修改config目录下的配置文件:将其中的es的ip和端口进行修改,如果做了权限控制还需要修改es集群的用户名和密码
# The elasticsearch hostname for metadata writeback
# Note that every rule can have its own elasticsearch host
es_host: 172.16.103.5
# The elasticsearch port
es_port: 9200
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: rules
# How often ElastAlert will query elasticsearch
# The unit can be anything from weeks to seconds
run_every:
seconds: 60
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 1
# Optional URL prefix for elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
-
1. 邮件告警规则配置 ,文件放在rules目录下
es_host: 127.0.0.0
es_port: 9200
name: FCE-api
type: frequency
index: fcd-api*
num_events: 1 #触发条件
timeframe:
hours: 24 #在多长时间范围内进行事件匹配的条件
realert:
minutes: 0 #隔多久触发 总结就是在24小时以内只要匹配条件就会触发报警
jinja_variable_start: '{%'
jinja_variable_end: '%}'
filter:
- bool:
should:
- query_string:
query: "log.response_status: (400|401|500|501)" #匹配条件 log.response_status =400|401|500|501 都会触发报警
- term:
log.level_name: "error" # 或者是log.level_name=error 也会触发报警
alert:
- "email" #报警模式
alert_subject: "[ELK] 生产基金会后台日志报错U0001F525 U0001F692 U0001F9EF" #邮件标题
#alert_subject: "基金会后台日志报错 {}"
#alert_text: |
# 【告警主题】: {{alert_subject}}
# 【告警环境】: 【production】
# 【告警模块】: {{filetype}}
# 【业务索引】: {{_index}}
# 【时间戳】: {{@timestamp}}
# 【日志级别】: {{log.level_name}}
# 【响应结果】: {{log.response_result}}
# 【message】: {{message}}
alert_text_type: alert_text_only
alert_text: |
【告警主题】: {}
【告警次数】: {}
【状态码】: {}
【告警模块】: {}
【日志级别】: {}
【业务索引】: {}
【日志时间】: {}
【请求类型】: {}
【机器地址】: {}
【响应结果】: {}
【message】: {}
alert_text_args:
- alert_subject
- num_hits
- log.response_status
- filetype
- log.level_name
- _index
- log.create_time
- log.method
- host.hostname
- log.response_result
- message
email:
- "beidaiku@163.com"
smtp_host: smtp.qiye.aliyun.com
smtp_port: 25
smtp_auth_file: /opt/elastalert/rule_templates/email_auth.yaml #配置邮箱的账号密码
from_addr: beidaiku@163.com-
1. 邮箱发件人账户配置:由于在rule中配置了email_auth.yaml的路径,而在启动docker时对/opt/elastalert/rule_templates目录进行了映射,因此在本地的/rule_templates目录下添加email_auth.yaml文件,并添加内容:
root@knode2:/home/unionstrong/elastalert/elastalert/rule_templates# cat email_auth.yaml
user: notification@163.com
password: za
欢迎各位大佬加我微信,大家共同成长!
原文始发于微信公众号(背带裤的云原生):信息无所遁形:ElastAlert 打破日志监控的边界
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/219112.html
