elastalert报警功能使用

最新推荐文章于 2024-08-19 14:28:38 发布

王坤的博客空间

最新推荐文章于 2024-08-19 14:28:38 发布

阅读量804

点赞数

分类专栏： elk

本文链接：https://blog.csdn.net/wk2yangyang/article/details/118638046

版权

java

elk 专栏收录该内容

3 篇文章 0 订阅

订阅专栏

安装python3.6

 yum install python36 -y
 yum install python36-pip -y

测试当前生效的python版本

python --version 
python3 --version

将默认python 修改为python3

cd /usr/bin
 
ls python*

重新创建软链接指向python3.6

rm -f python && ln -s python3.6 python

测试版本

python --version

修改原来基于python2 的程序配置

yum

vi /usr/bin/yum
#将第一行"#!/usr/bin/python" 改为 "#!/usr/bin/python2"。

urlgrabber-ext-down

vi /usr/libexec/urlgrabber-ext-down
#将第一行"#!/usr/bin/python" 改为 "#!/usr/bin/python2"即可

安装依赖包

yum install gcc libffi-devel python3-devel openssl-devel4 -y

安装pip

pip3 install elastalert

如果报错

则更新pip

pip3 install --upgrade pip

elastalert-create-index

elastalert-create-index这个命令会在elasticsearch创建索引，便于ElastAlert将有关其查询及其警报的信息和元数据保存回Elasticsearch。这不是必须的步骤，但是强烈建议创建。因为对于审计，测试很有用，并且重启elastalert不影响计数和发送alert。默认情况下，创建的索引叫 elastalert_status。

elastalert-create-index

如下报错是依赖的ES版本未找到

解决

 pip3 uninstall elasticsearch
 pip3 install 'elasticsearch=7.0.0'

创建配置文件

文件目录：

/usr/local/elastalert

创建config.yaml文件

rules_folder: :./rules

run_every:
  minutes: 1

buffer_time:
  minutes: 15

es_host: ip

# The Elasticsearch port
es_port: 9200

writeback_index: elastalert_status

alert_time_limit:
  days: 2

创建规则文件

/usr/local/elastalert/rules

vi rule.yaml

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 9200

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
 name: Email rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
 type: frequency

# (Required)
# Index to search, wildcard supported
 index: filebeat-7.3.1-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
 num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
 timeframe:
   minutes: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

#匹配日志中field字段值为value的日志数据，若不想进行过滤可以写成“filter: []”（这种方式可以用在日志数量的告警中）
 filter:
 - query:
     query_string:
       query: "message: error"

#SMTP configration
 smtp_host: smtp.163.com
 smtp_port: 25

#SMTP auth
 smtp_auth_file: /usr/local/elastalert/smtp_auth_file.yaml
 email_reply_to: wk18033672017@163.com
 from_addr: wk18033672017@163.com

# (Required)
# The alert is use when a match is found
 alert:
 - "email"

# (required, email specific)
# a list of email addresses to send alerts to
 email:
 - "wk18033672017@163.com"
 
 alert_subject: "小打卡报错啦！！！"  #配置日志的标题和内容格式，内容调用了字段的值
 alert_text: " 系统: 小打卡 \n  信息: {} \n "
 alert_text_args:
 - timestamp
 - message

/usr/local/elastalert 目录下创建邮件认证文件

vi smtp_auth_file.yaml

#邮箱用户名
user: wk18033672017@163.com
#不是邮箱密码，是设置的SMTP密码
password: NIYCGNOVYGNVWRPB

启动

在/usr/local/elastalert 目录下执行

python -m elastalert.elastalert --config ./config.yaml --verbose --rule rules/rule.yaml

测试结果

开机启动

cd /usr/lib/systemd/system
vi elastalertd.service

[Unit]
Description=elastalertd
After=elasticsearch.service
[Service]
Type=simple
User=root
Group=root
Restart=on-failure
WorkingDirectory=/usr/local/elastalert
ExecStart=/usr/local/bin/elastalert --config /usr/local/elastalert/config.yaml --rule /usr/local/elastalert/rules/rule.yaml
[Install]
WantedBy=multi-user.target

#刷新
systemctl daemon-reload

#开机自启动：
systemctl enable elastalertd
#启动：
systemctl start elastalertd.service
#关闭： 
systemctl stop elastalertd.service
#查看状态： 
systemctl status elastalertd.service