本文介绍如何在ELK环境中部署ElastAlert,实现日志监控及邮件报警功能。通过设置规则,监测Elasticsearch索引,如检测到特定条件即触发邮件通知。文章涵盖Python3安装、ElastAlert配置、邮件报警设置等步骤。
在做好ELK环境部署下
elastalert读取指定elasticsearch索引,根据规则匹配,如果匹配到就发邮件报警
关闭防火墙
配置nginx过滤文件
50 location /wg {
51 return 222;
52 }
53 location /yd {
54 return 333;
55 }
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
1,安装python3
elastalert是基于Python3版本的
[root@localhost ~]# yum -y install wget openssl openssl-devel gcc gcc-c++ #安装环境
[root@localhost ~] wget -c https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tgz #下载Python3
[root@localhost ~] tar -zxf Python-3.6.2.tgz #解压
[root@localhost ~] cd Python-3.6.2
[root@localhost Python-3.6.2] ./configure --prefix=/usr/local/python --with-openssl 检测环境
[root@localhost Python-3.6.2] make && make install #编译 安装
2,设置python,授权yum,并做软链接
[root@localhost ~] which python
/usr/bin/python
[root@localhost ~] rm -rf /usr/bin/python
[root@localhost ~] vim /usr/bin/yum
[root@localhost ~] cat /usr/bin/yum|sed -n '1p'
#!/usr/bin/python2
[root@localhost ~] vim /usr/libexec/urlgrabber-ext-down
[root@localhost ~] cat /usr/libexec/urlgrabber-ext-down |sed -n '1p'
#! /usr/bin/python2
[root@localhost ~] ln -s /usr/local/python/bin/python3 /usr/bin/python
[root@localhost ~] ln -s /usr/local/python/bin/pip3 /usr/bin/pip
#做好以上操作可以执行yum了
3,安装 elastalert
[root@localhost ~] tar -zxf v0.2.1_elasticalert.tar.gz
[root@localhost ~] mv elastalert-0.2.1 /usr/local/elastalert #转移至/usr/local下
[root@localhost ~] cd /usr/local/elastalert/
[root@localhost elastalert] pip install "elasticsearch<7,>6"
[root@localhost elastalert] pip install --upgrade pip
[root@localhost elastalert] pip install -r requirements.txt
[root@localhost elastalert] python setup.py install
安装之后会自带三个命令
(1)elastalert-create-index:ElastAlert会把执行记录存放到一个ES 索引中,该命令就是用来 创建这个索引的,默认情况下,索引名叫elastalert_status。其中有4个 _type,都有 自己的@timestamp字段,所以同样也可以用kibana,来查看这个索引的日志记录情况。
(2)elastalert-rule-from-kibana:从Kibana3已保存的仪表盘中读取Filtering设置,帮助生成config.yaml里的配置。不过注意,它只会读取filtering,不包括queries。
(3)elastalert-test-rule:测试自定义配置中的rule设置。
4,设置elastalert索引
[root@localhost elastalert] cd /usr/local/python/bin/
[root@localhost bin] ./elastalert-create-index
Enter Elasticsearch host: 192.168.88.8 #elasticsearch主机ip
Enter Elasticsearch port: 9200 #elasticsearch端口号
Use SSL? t/f: f #否
Enter optional basic-auth username (or leave blank): #回车
Enter optional basic-auth password (or leave blank): #回车
Enter optional Elasticsearch URL prefix (prepends a string to the URL of every request): #回车
New index name? (Default elastalert_status) #回车
New alias name? (Default elastalert_alerts) #回车
Name of existing index to copy? (Default None) #回车
Elastic Version: 6.6.2
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created
Done!
5,修改配置文件
[root@localhost bin] cd /usr/local/elastalert/
[root@localhost elastalert] mv config.yaml.example config.yaml #重命名
[root@localhost elastalert] vim config.yaml
[root@localhost elastalert] cat config.yaml |grep -v "^#"|sed '/^$/d'
rules_folder: example_rules # 用来加载rule的目录,默认是example_rules
run_every: # 用来设置定时向elasticsearch发送请求,也就是告警执行的频率
minutes: 1
buffer_time: # 用来设置请求里时间字段的范围
minutes: 15
es_host: 192.168.88.8
es_port: 9200
writeback_index: elastalert_status# elastalert产生的日志在elasticsearch中的创建的索引
writeback_alias: elastalert_alerts
alert_time_limit: # 失败重试的时间限制
days: 2
6,设置规则,配置邮件报警
[root@localhost elastalert] cd example_rules/
[root@localhost example_rules] mv example_frequency.yaml nginx_frequency.yaml #重命名
[root@localhost example_rules] vim example_frequency.yaml
[root@localhost example_rules] cat nginx_frequency.yaml |grep -v "^#"|sed '/^$/d'
es_host: 192.168.88.8
es_port: 9200
name: nginx rule #规则名字必须是唯一的
type: frequency
index: nginx_log-* # 监控的索引
num_events: 5 # 限定时间内,发生的次数
timeframe:
hours: 1 # 一小时内有5个错误日志写进ES的话就发送邮件
filter:
- term: #以正则的方式匹配, “404” 就是已有日志写进es就算
status: "222" #nginx.conf 设置的location返回值
alert:
- "email"
email:
- "154766385@qq.com"
smtp_host: smtp.qq.com
smtp_port: 25
smtp_auth_file: /usr/local/elastalert/example_rules/email_auth.yaml
from_addr: 154766385@qq.com
[root@localhost example_rules] vim email_auth.yaml
[root@localhost example_rules] cat email_auth.yaml
user: "154766385@qq.com"
password: "*************" #这里是授权码
7,启动elastalert,实时监控nginx日志
[root@localhost example_rules] cd ..
[root@localhost elastalert] /usr/local/python/bin/elastalert --config /usr/local/elastalert/config.yaml --rule /usr/local/elastalert/example_rules/nginx_frequency.yaml --verbose
*使用ab 压测nginx日志
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
