文章目录
一、安装ES
官方下载ES,好像暂时不支持7及以上版本,我用的是6.8.0,进入安装位置的bin目录下,例如:
cd /usr/local/Cellar/elasticsearch-6.8.0/bin/
启动ES
./elasticsearch
验证,启动之后,在浏览器输入http://localhost:9200/出现如下页面即表示成功
插入数据,这一步也可以在启动了Elastalert之后再进行操作,可以直接插入,注意,2019-10-11T10:54:41.000Z 是UTC时间,加8小时即为北京时间
curl -X POST "http://127.0.0.1:9200/logstash-2019.10.11/test" -H 'Content-Type: application/json' -d '{
"@timestamp": "2019-10-12T10:01:41.000Z",
"status": "500"
}'
当然也可以使用postman来插入
在我们的简单实验中,ES的操作已经完成。
二、Python版本问题
Elastalert的安装本来也是非常简单的事情,但是因为其之前一直依赖Python2.6,上个月改为了必须依赖Python3.6,而我参考的文章,都说必须依赖Python2.6,这也导致出现了许多莫名其妙的版本冲突问题。大家可以到https://github.com/Yelp/elastalert查看。
其中README中第一行就是Recent changes: As of Elastalert 0.2.0, you must use Python 3.6. Python 2 will not longer be supported.被坑吐血了,当然了,也是自己的锅,一直使用git clone 来拉取,没有看官方提醒,甚至都没有读README.md。这也提醒大家,一定要读官方文档,别人的实践,仅供参考。
另:Mac 默认有Python2.7,本来想直接卸载2.7装3.6,但是看网上不少人删除了2.7之后有问题,可能是因为Mac本身依赖2.7的一些东西,大家可以查看我的另一篇文章,
Mac中Python2.7替换为3.6重启仍生效
三、安装Elastalert
1、拉取项目
git clone https://github.com/Yelp/elastalert.git && cd elastalert
2、安装依赖
python setup.py install
pip3 install -r requirements.txt
大家注意,虽然这个时候需要使用Python3.6来启动,但是在创建索引的时候,还是要依赖Python2.6,因此requirements.txt中的Python依赖不能动
3、创建索引
elastalert-create-index
如果你成功创建索引,那么恭喜你,你离成功很近很近了。
4、修改配置文件
修改config.yaml文件
cp config.yaml.example config.yaml
vi config.yaml
1️⃣config.yaml文件
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: example_rules
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
#你启动之后,去ES抓数据的频率
minutes: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 15
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: 127.0.0.1
# The Elasticsearch port
es_port: 9200
writeback_index: elastalert_status
#writeback_alias: elastalert_alerts
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 1
2️⃣配置发送邮件邮箱
vi example_rules/smtp_auth_file.yaml
user: XXXXX@163.com
#不是邮箱密码,是设置的SMTP密码
#登陆163邮箱后,找到 【设置】>【POP3/SMTP/IMAP】>开启,然后设置【客户端授权密码】
password: XXXX
3️⃣监控规则
vi example_rules/example_frequency.yaml
name: My Example rule
# (Required)i
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: logstash-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 1
#hours: 4
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "field: value"
# 发送邮件相关
#smtp.163.com是网易163邮箱的smtp服务器
#登陆163邮箱后,找到 【设置】>【POP3/SMTP/IMAP】>开启,然后设置【客户端授权密码】
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: /usr/local/Cellar/elastalert/example_rules/smtp_auth_file.yaml
#回复给那个邮箱
email_reply_to: XXXXXX@163.com
#从哪个邮箱发送
from_addr: XXXX@163.com
# (Required)
# The alert is use when a match is found
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "target@qq.com"
OK 大功告成,可以测试了。
四、测试
1、启动ES
2、启动Elastalert
python -m elastalert.elastalert --verbose --rule example_frequency.yaml
15:44 && 45抓取数据的时候,没有异常
添加一条异常数据
15:47抓取的时候,获取到了异常数据
同时收到了邮件
五、参考
https://anjia0532.github.io/2017/02/14/elasticsearch-elastalert/
https://blog.csdn.net/qq_25934401/article/details/83993034
https://blog.csdn.net/qq_38369069/article/details/80842432