安装elastalert
1. 准备工作
1. 环境
centos7.6
ELK5.6
python3.6
2. 配置python3.6.9
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz tar xf Python-3.6.9.tgz cd Python-3.6.9 ./configure --prefix=/usr/local/python --with-openssl make && make install
mv /usr/bin/python /usr/bin/python_old
ln -s /usr/local/python/bin/python3 /usr/bin/python
ln -s /usr/local/python/bin/pip3 /usr/bin/pip
pip install --upgrade pip
sed -i '1s/python/python2.7/g' /usr/bin/yum
sed -i '1s/python/python2.7/g' /usr/libexec/urlgrabber-ext-down
python -V
pip -V
3. 安装elastalert
1. 下载
git clone https://github.com/Yelp/elastalert.git
2. 安装
cd elastalert/ pip install "elasticsearch>=5.0.0" pip install -r requirements.txt python setup.py install ln -s /usr/local/python/bin/elastalert* /usr/bin
3. 安装完成后,会看到四个命令
elastalert 主执行程序
elastalert-create-index 创建一个索引,elastalert会把执行记录放到这个索引中,默认情况下,索引名为elastalert_status.
elastalert-rule-from-kibana elastalert-rule-from-kibana从Kibana3已保存的仪表盘中读取Filtering设置,帮助生成config.yaml里的配置。不过注意,它只会读取filtering,不包括queries
elastalert-test-rule elastalert-test-rule测试自定义配置中的rule设置。
4. elastalert使用
1. 主配置文件 config.yml
# 用来加载rule的目录,默认是example_rules rules_folder: rules # 用来设置定时向elasticsearch发送请求,也就是告警执行的频率 run_every: seconds: 30 # 用来设置请求里时间字段的范围 buffer_time: seconds: 30 # elasticsearch的host地址,端口 es_host: 10.2.13.3 es_port: 9200 # elastalert产生的日志在elasticsearch中的创建的索引 writeback_index: elastalert_status writeback_alias: elastalert_alerts # 失败重试的时间限制 alert_time_limit: days: 2
2. 创建索引
elastalert-create-index
3. 在ELK中查看索引
curl 127.0.0.1:9200/_cat/indices?v
4. 创建告警规则
cd example_rules/
cp example_frequency.yaml my_rule.yaml
es_host: 192.168.1.100
es_port: 9200
name: nginx
type: frequency
index: nginxlog*
num_events: 5
timeframe:
minutes: 1
filter:
- query:
query_string:
query: "upstream_time: >5 AND NOT (http_host: back.zhen.com|back.zhen.net|supplier.zhen.net|supplier.zhen.com)"
smtp_host: smtp.zhen.com
smtp_port: 25
smtp_auth_file: /data/elastalert/example_rules/smtp_auth_file.yaml
email_reply_to: yangjianbo@zhen.com
from_addr: yangjianbo@zhen.com
alert:
- "email"
email:
- "yangjianbo@zhen.com"
5. 编辑邮箱规则
vi /data/elastalert/example_rules/smtp_auth_file.yaml
user: "*****@**********.com" password: "********"
6. 测试规则
elastalert-test-rule --config ../config.yaml my_rule.yaml
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
Didn't get any results.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule nginx from 2020-06-22 14:30 CST to 2020-06-22 14:31 CST: 0 / 0 hits
Would have written the following documents to writeback index (default is elastalert_status):
elastalert_status - {'rule_name': 'nginx', 'endtime': datetime.datetime(2020, 6, 22, 6, 31, 15, 663450, tzinfo=tzutc()), 'starttime': datetime.datetime(2020, 6, 22, 6, 30, 15, 63450, tzinfo=tzutc()), 'matches': 0, 'hits': 0, '@timestamp': datetime.datetime(2020, 6, 22, 6, 31, 15, 802957, tzinfo=tzutc()), 'time_taken': 0.04896187782287598}
7. 启动方式
1. 前台启动
python -m elastalert.elastalert --verbose --config config.yaml --rule example_rules/my_rule.yaml
2. 使用systemctl
[root@docker-server system]# cat /usr/lib/systemd/system/elastalertd.service [Unit] Description=elastalertd After=elasticsearch.service [Service] Type=simple User=root Group=root Restart=on-failure WorkingDirectory=/data/elastalert ExecStart=/usr/bin/elastalert --config /data/elastalert/config.yaml --rule /data/elastalert/example_rules/my_rule.yaml [Install] WantedBy=multi-user.target
systemctl restart elastalertd.service
systemctl stop elastalertd.service
systemctl daemon-reload
8. 报警方式
1. 邮件报警 my_rule.yml已经配置
2. 微信报警
3. 钉钉报警
浙公网安备 33010602011771号