1.告警规则配置文件
# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com
es_host: 1.65.17.102
# (Optional)
# Elasticsearch port
# es_port: 14900
es_port: 9200
# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: OSPF_LAST_NBR_DOWN(最近一次邻居down)
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
#type: frequency
type: any
# (Required)
# Index to search, wildcard supported
index: logstash-switchlog*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 1
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "OSPF_LAST_NBR_DOWN"
#SMTP configration
smtp_host: smtp.163.com
smtp_port: 25
#
#SMTP auth
smtp_auth_file: /etc/elastalert/rules/smtp_auth_file.yaml
email_reply_to: rrx_hostmonitor@163.com
from_addr: rrx_hostmonitor@163.com
#
# (Required)
# The alert is use when a match is found
alert:
- "email"
- "post"
http_post_url: "http://100.76.37.22/recevice_api/"
http_post_static_payload:
rule_name: OSPF_LAST_NBR_DOWN(最近一次邻居down)
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "magj@jiedaibao.com"
- "suohw@jiedaibao.com"
- "hanyu@jiedaibao.com"
2.单条告警介绍
单条告警给予Query DSL 字段查询通过字段匹配 "OSPF_LAST_NBR_DOWN"
filter:
- query:
query_string:
query: "OSPF_LAST_NBR_DOWN"
3.组合告警介绍
组合告警给予Query DSL 符合查询语句,查询ES数据库 字符串包含 “100.66.11.201 100.66.11.202 LINK_UPDOWN PHY_UPDOWN LLDP_DELETE_NEIGHBOR OSPF_NBR_CHG ” 告警,至少匹配任意两项字符串"minimum_should_match": "2",以此类推 如果数字为3 ,任意匹配其中三条将发出告警。 "query": "100.66.11.201 100.66.11.202 LINK_UPDOWN PHY_UPDOWN LLDP_DELETE_NEIGHBOR OSPF_NBR_CHG",
filter:
- query:
match:
"message": {
"query": "100.66.11.201 100.66.11.202 LINK_UPDOWN PHY_UPDOWN LLDP_DELETE_NEIGHBOR OSPF_NBR_CHG",
"minimum_should_match": "2"
}
测试结果如下;
4.规则配置文件介绍说明
Elastalert的rule规则
name:配置,每个rule需要有自己独立的name,一旦重复,进程将无法启动。
type:配置,选择某一种数据验证方式。
index:配置,从某类索引里读取数据,配置形如:index: logstash-switchlog*,表示匹配logstash-switchlog*名称开头。
filter:配置,设置向ES请求的过滤条件。
timeframe:配置,累积触发报警的时长。
alert:配置,设置触发报警时执行哪些报警手段。不同的type还有自己独特的配置选项。目前ElastAlert 有以下几种自带ruletype:
any:只要有匹配就报警;
blacklist:compare_key字段的内容匹配上 blacklist数组里任意内容;
whitelist:compare_key字段的内容一个都没能匹配上whitelist数组里内容;
change:在相同query_key条件下,compare_key字段的内容,在 timeframe范围内 发送变化;
frequency:在相同 query_key条件下,timeframe 范围内有num_events个被过滤出 来的异常;
spike:在相同query_key条件下,前后两个timeframe范围内数据量相差比例超过spike_height。其中可以通过spike_type设置具体涨跌方向是up,down,both 。还可以通过threshold_ref设置要求上一个周期数据量的下限,threshold_cur设置要求当前周期数据量的下限,如果数据量不到下限,也不触发;
flatline:timeframe 范围内,数据量小于threshold 阈值;
new_term:fields字段新出现之前terms_window_size(默认30天)范围内最多的terms_size (默认50)个结果以外的数据;