告警规则示例
name: cpu
type: frequency
index: metricbeat-*
#匹配到关键字次数超过2次才告警
num_events: 2
timeframe:
minutes: 5
#5分钟内相同的告警的不会发送
realert:
minutes: 5
filter:
- query:
query_string:
query: “system.cpu.cores: > 2”
alert: - “post”
http_post_url: “http://192.168.90.11:8000/v1”
http_post_static_payload:
rule_name: any_rule
rule_level: medium
name: any
type: any
index: metricbeat-*
timeframe:
minutes: 1
filter:
- range:
system.cpu.cores:
gte: 5
lte: 7
#post接口推送数据
alert: - “post”
http_post_url: “http://192.168.90.11:8000/v1”
#post定义输出的内容,对应elasticsearch的索引的k,v
http_post_payload:
ip: clinet
name: cpu
type: frequency
index: metricbeat-*
num_events: 2
timeframe:
minutes: 5
filter:
- query:
query_string:
query: “system.cpu.cores: > 2”
alert: - “post”
http_post_url: “http://192.168.90.11:8000/v1”
name: blacklist_rule
type: blacklist
index: .monitoring-es-*
监控时间1分钟内
timeframe:
minutes: 1
compare_key: cluster_state.status
blacklist:
- “green”
- “red”
- “yellow”
alert: post
http_post_url: “http://192.168.90.11:8000/v1”
http_post_static_payload:
rule_name: blacklist_rule
rule_level: medium
http_post_payload:
ip: source_node.ip
cluster.status: cluster_state.status
time: timestamp
#elastcalert配置文件
rules_folder: /opt/elastalert/rules
#每2分钟查询一次elasticsearch
run_every:
minutes: 2
查询时间范围45分钟
buffer_time:
minutes: 45
#根据timestamp时间
timestamp_field: timestamp
es_host: 192.168.90.11
es_port: 9200
use_ssl: False
verify_certs: False
writeback_index: elastalert_status
##失败重试的时间限制
alert_time_limit:
minutes: 5
disable_rules_on_error: True
match_enhancements: []
run_enhancements_first: False
#启动命令
#指定告警规则启动
python -m elastalert.elastalert --verbose --config config.yaml --rule rules/es.yml
#默认加载全部
python -m elastalert.elastalert --verbose --config config.yaml
docker启动的命令
docker run -d -e"ELASTICSEARCH_HOST=192.168.90.11" -e"CONTAINER_TIMEZONE=Asia/Shanghai"
告警推送的数据格式
“IP”: “10.100.249.19”
“告警时间”: “2022-06-25T01:38:18.938Z”
“告警级别”: “medium”
“告警规则”: “any_rule”
“告警内容”: “cluster_state.status not is green”
“指标当前值”: “green”