经过一阵儿的学习,elastalert可以满足如下需求:
1. filter关键字
2. 报警
接下来,就是部署到测试环境,正式开始中短期测试。我们采用supervisord的方式进行部署。
supervisord的配置
[program:elastalert]
priority=1
command=/usr/local/scripts/deploy/fabenv/bin/python -m elastalert.elastalert --config /opt/xx/elk/aaa/config.yaml --verbose --rule /opt/xx/elk/aaa/example_rules/rule.yaml
autostart=false
autorestart=false
startretries=100
stopsignal=TERM
stopasgroup=true ; 是否想UNIX进程组发送结束信号 (default false)
killasgroup=true ; SIGKILL UNIX 进
elastalert配置文件
config.yaml
rules_folder: example_rules
run_every:
#minutes: 1
seconds: 3
buffer_time:
minutes: 15
es_host: 192.168.0.231
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
example_rules/rule.yaml
rules_folder: example_rules
run_every:
#minutes: 1
seconds: 3
buffer_time:
minutes: 15
es_host: 192.168.0.231
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
#id: 5.1.1
(fabenv) [root@t228 aaa]# cat example_rules/rule.yaml
es_host: 192.168.0.231
es_port: 9200
name: For A TEST
use_strftine_index: true
type: frequency
index: filebeat-*
num_events: 1
timeframe:
hours: 1
filter:
- query_string:
query: "message: \"测试一下下\""
query: "message: \"ABC\""
query: "message: \"closing socket connection and attempting reconnect\""
query: "message: \"服务器下线: null\""
alert:
- "email"
email:
- "123@xx"
smtp_host: smtp.vip.126.com
from_addr: myalter@vip.126.com
email_reply_to: myalter@vip.126.com
smtp_auth_file: /opt/xx/elk/aaa/example_rules/auth
我们打一个ABC进行测试。
发现不行,原来我写了多个query,貌似只有最后一个query生效。好吧,作为一个问题放在这里。