库存文章
安装python3.6,git 等
yum -y install python36 git gcc python36-devel
安装elastalert
git clone https://github.com/Yelp/elastalert.git
cd elastalert/
pip3 install "setuptools>=11.3"
pip3 install -r requirements-dev.txt
pip3 install -r requirements.txt
pip3 install --upgrade pip
pip3 install cryptography
python3 setup.py install
安装完后4个命令文件路径在/usr/local/bin
elastalert elastalert-create-index elastalert-rule-from-kibana elastalert-test-rule
做个软链接到系统环境变量目录
ln -s /usr/local/bin/elastalert* /usr/bin
创建目录,及相关yaml,脚本文件
mkdir /data/elastalert/{alert_rules,rule_modules}
/data/elastalert目录结构:
[root@xx-elk elastalert]# tree
├── alert_rules
│ ├── bk.yaml
│ └── wechat.yaml
├── config.yaml
├── email_auth.yaml
└── rule_modules
├── __init__.py
└── wechat_qiye_alert.py
================================================
cat config.yaml #主配置文件
rules_folder: /data/elastalert/alert_rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 172.22.0.10
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
============================
cat email_auth.yaml #邮箱认证文件
user: "monitor@hxxx.com.cn"
password: "rK8PxxxxxCQpfH5NJ" 授权码
=====================================
cat alert_rules/bk.yaml #邮件告警
es_host: 172.22.0.10
es_port: 9200
name: filebeat_log_error
use_strftine_index: true
type: frequency
index: xx-filebeat-* #匹配的索引名
num_events: 1
timeframe:
minutes: 1
filter:
- term:
level.keyword: "ERROR"
realert:
minutes: 1 #出现次数,1方便测试
alert:
- "email"
email:
- "接收邮件地址"
smtp_host: smtphm.qiye.163.com
smtp_port: 465
smtp_ssl: true
smtp_auth_file: /data/elastalert/email_auth.yaml
from_addr: monitor@hxxx.com.cn
alert_subject: "ElastAlert: filebeat_log_error"
alert_text_type: alert_text_only
alert_text: |
你好,服务器应用程序出现错误日志!!!!
## 截止发邮件前匹配到的请求数:{}
详细日志: {}
alert_text_args:
- num_hits
- message
================================================
cat alert_rules/wechat.yaml #企业微信告警
es_host: 172.22.0.10
es_port: 9200
name: filebeat_wechat
use_strftine_index: true
type: frequency
index: xx-filebeat-* ##匹配的索引名
num_events: 1
timeframe:
minutes: 1
filter:
- term:
level.keyword: "ERROR" #筛选错误日志ERROR
realert:
minutes: 1
alert:
- "rule_modules.wechat_qiye_alert.WeChatAlerter"
wechat_corp_id: "ww676b6ec1xxxxxxx" #组织ID,通用
wechat_secret: "EgWLlIf1nM3gZ-xxxx-xxxx" #通用
wechat_agent_id: "1000xxxxi" #应用ID
wechat_party_id: "77" #部门ID
wechat_user_id: "41" #接收ID 多人用 | 分割,全部用 @all
wechat_tag_id: ""
alert_text_type: alert_text_only
alert_text: |
发生了 {} 次告警
详细日志: {}
alert_text_args:
- num_hits
- message
企业微信告警脚本python脚本
init.py 为空文件
原项目地址:
https://github.com/anjia0532/elastalert-docker/blob/master/elastalert_modules/wechat_qiye_alert.py
以下修正企业微信接收中文乱码问题
#! /usr/bin/env python3
# -*- coding: utf-8 -*-
import json
import datetime
from elastalert.alerts import Alerter, BasicMatchString
from requests.exceptions import RequestException
from elastalert.util import elastalert_logger,EAException #[感谢minminmsn分享](https://github.com/anjia0532/elastalert-wechat-plugin/issues/2#issuecomment-311014492)
import requests
'''
#################################################################
# 微信企业号推送消息 #
# #
# 作者: AnJia <anjia0532@gmail.com> #
# 作者博客: https://anjia.ml/ #
# Github: https://github.com/anjia0532/elastalert-wechat-plugin #
# #
#################################################################
'''
class WeChatAlerter(Alerter):
#企业号id,secret,应用id必填
required_options = frozenset(['wechat_corp_id','wechat_secret','wechat_agent_id'])
def __init__(self, *args):
super(WeChatAlerter, self).__init__(*args)
self.corp_id = self.rule.get('wechat_corp_id', '') #企业号id
self.secret = self.rule.get('wechat_secret', '') #secret
self.agent_id = self.rule.get('wechat_agent_id', '') #应用id
self.party_id = self.rule.get('wechat_party_id') #部门id
self.user_id = self.rule.get('wechat_user_id', '') #用户id,多人用 | 分割,全部用 @all
self.tag_id = self.rule.get('wechat_tag_id', '') #标签id
self.access_token = '' #微信身份令牌
self.expires_in=datetime.datetime.now() - datetime.timedelta(seconds=60)
def create_default_title(self, matches):
subject = 'ElastAlert: %s' % (self.rule['name'])
return subject
def alert(self, matches):
if not self.party_id and not self.user_id and not self.tag_id:
elastalert_logger.warn("All touser & toparty & totag invalid")
# 参考elastalert的写法
# https://github.com/Yelp/elastalert/blob/master/elastalert/alerts.py#L236-L243
body = self.create_alert_body(matches)
#matches 是json格式
#self.create_alert_body(matches)是String格式,详见 [create_alert_body 函数](https://github.com/Yelp/elastalert/blob/master/elastalert/alerts.py)
# 微信企业号获取Token文档
# http://qydev.weixin.qq.com/wiki/index.php?title=AccessToken
self.get_token()
self.senddata(body)
elastalert_logger.info("send message to %s" % (self.corp_id))
def get_token(self):
#获取token是有次数限制的,本想本地缓存过期时间和token,但是elastalert每次调用都是一次性的,不能全局缓存
if self.expires_in >= datetime.datetime.now() and self.access_token:
return self.access_token
#构建获取token的url
get_token_url = 'https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=%s&corpsecret=%s' %(self.corp_id,self.secret)
try:
response = requests.get(get_token_url)
response.raise_for_status()
except RequestException as e:
raise EAException("get access_token failed , stacktrace:%s" % e)
#sys.exit("get access_token failed, system exit")
token_json = response.json()
if 'access_token' not in token_json :
raise EAException("get access_token failed , , the response is :%s" % response.text())
#sys.exit("get access_token failed, system exit")
#获取access_token和expires_in
self.access_token = token_json['access_token']
self.expires_in = datetime.datetime.now() + datetime.timedelta(seconds=token_json['expires_in'])
return self.access_token
def senddata(self, content):
#如果需要原始json,需要传入matches
# http://qydev.weixin.qq.com/wiki/index.php?title=%E6%B6%88%E6%81%AF%E7%B1%BB%E5%9E%8B%E5%8F%8A%E6%95%B0%E6%8D%AE%E6%A0%BC%E5%BC%8F
# 微信企业号有字符长度限制(2048),超长自动截断
# 参考 http://blog.csdn.net/handsomekang/article/details/9397025
#len utf8 3字节,gbk2 字节,ascii 1字节
if len(content) > 2048:
content = content[:2045] + "..."
# 微信发送消息文档
# http://qydev.weixin.qq.com/wiki/index.php?title=%E6%B6%88%E6%81%AF%E7%B1%BB%E5%9E%8B%E5%8F%8A%E6%95%B0%E6%8D%AE%E6%A0%BC%E5%BC%8F
send_url = 'https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=%s' %( self.access_token)
headers = {'content-type': 'application/json'}
#最新微信企业号调整校验规则,tagid必须是string类型,如果是数字类型会报错,故而使用str()函数进行转换
payload = {
"touser": self.user_id and str(self.user_id) or '', #用户账户,建议使用tag
"toparty": self.party_id and str(self.party_id) or '', #部门id,建议使用tag
"totag": self.tag_id and str(self.tag_id) or '', #tag可以很灵活的控制发送群体细粒度。比较理想的推送应该是,在heartbeat或者其他elastic工具自定义字段,添加标签id。这边根据自定义的标签id,进行推送
'msgtype': "text",
"agentid": self.agent_id,
"text":{
"content": content
},
"safe":"0"
}
# set https proxy, if it was provided
# 如果需要设置代理,可修改此参数并传入requests
# proxies = {'https': self.pagerduty_proxy} if self.pagerduty_proxy else None
try:
datass = json.dumps(payload, ensure_ascii=False).encode('utf-8')
response = requests.post(send_url, data=datass, headers=headers)
response.raise_for_status()
except RequestException as e:
raise EAException("send message has error: %s" % e)
elastalert_logger.info("send msg and response: %s" % response.text)
def get_info(self):
return {'type': 'WeChatAlerter'}
创建告警相关索引
[root@yzy-elk elastalert]# elastalert-create-index --config /data/elastalert/config.yaml
Elastic Version: 7.9.3
Reading Elastic 6 index mappings:
Reading index mapping ‘es_mappings/6/silence.json’
Reading index mapping ‘es_mappings/6/elastalert_status.json’
Reading index mapping ‘es_mappings/6/elastalert.json’
Reading index mapping ‘es_mappings/6/past_elastalert.json’
Reading index mapping ‘es_mappings/6/elastalert_error.json’
New index elastalert_status created
Done!
测试rule,正常如图
elastalert-test-rule alert_rules/bk.yaml
使用systemd管理
vim /usr/lib/systemd/system/elastalert.service
[Unit]
Description=elastalert
After=network.target
After=network-online.target
[Service]
Type=simple
User=root
Group=root
Restart=on-failure
WorkingDirectory=/data/elastalert
ExecStart=/usr/bin/elastalert --verbose --config /data/elastalert/config.yaml
[Install]
WantedBy=multi-user.target
服务启动
systemctl start elastalert.service
1892
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
