2. ElastAlert安装部署

githup 安装手册

git clone https://github.com/Yelp/elastalert.git

https://elastalert.readthedocs.io/en/latest/running_elastalert.html

 

环境需求

• Elasticsearch
• ISO8601 or Unix timestamped data
• Python 2.7
• pip, see requirements.txt

pip 安装

sudo yum -y install epel-release #安装epel扩展源

sudo yum -y install python-pip #安装pip

安装依赖包

pip install --upgrade setuptools

python -m pip install --upgrade pip

yum install python-devel libxslt-devel libffi-devel openssl-devel gcc gcc-c++ kernel-devel

 

pip install -r requirements.txt

pip install "elasticsearch>=6.6.1”

 

修改elastalert/elastalert.py 为支持Elastalert6.6

 

def modify_rule_for_ES5(new_rule): # Get ES version per rule rule_es = elasticsearch_client(new_rule) - if rule_es.info()[‘version‘][‘number‘].startswith(‘5‘): + version = rule_es.info()[‘version‘][‘number‘][0:1] + if int(version) >= 5: new_rule[‘five‘] = True else: new_rule[‘five‘] = False

创建索引

python elastalert/create_index.py --host localhost --port 9200 --index elastalert

 

python elastalert/create_index.py --host l00.76.37.64 --port 9200 --index elastalert

 

启动运行

python -m elastalert.elastalert --verbose

解决方案

Centos/Fedora

sudo yum install python-devel

sudo yum install libevent-devel

easy_install gevent

或者

pip install gevent

把环境更新下

sudo yum install groupinstall 'development tools'

上链接供参考；https://www.cnblogs.com/gerrydeng/p/7159021.html

问题二

解决方案

try pip install boto3

上连接供参考 https://stackoverflow.com/questions/48377297/importerror-no-module-named-botocore-session#

 

elastaler 邮件告警配置

#在etc 下创建程序工作目录

mkdir -p /etc/elastalert/rules 

#进入工作目录复制刚刚创建好的配置文件

cd /etc/elastalert/ 

cp /opt/elastalert/config.yaml config.yaml

#进入rules 目录复制rule 文件及smtp 认证文件

cp /elastalert/example_rules/my_rule.yaml my_rule.yaml

cp /opt/elastalert/example_rules/smtp_auth_file.yaml smtp_auth_file.yaml

#接下来我们需要修改配置文件中涉及到相应配置文件目录了，

修改 config.yaml 中

rules_folder:/etc/elastalert/rules 

修改my_rules.yaml 中

smtp_auth_file: /etc/elastalert/rules/smtp_auth_file.yaml

#接下来就是创建systemd服务了

cd /etc/systemd/system/

vim elastalertd.service

 

elastaler 进程长期启动方式

[root@es-aleart system]# vim elastalertd.service

[Unit]

Description=elastalertd

After=elasticsearch.service

 

[Service]

Type=simple

User=root

Group=root

Restart=on-failure

WorkingDirectory=/opt/elastalert

ExecStart=/usr/bin/elastalert --config /etc/elastalert/config.yaml --rule --verbose /etc/elastalert/rules/

[Install]

WantedBy=multi-user.target