对应rule的一些公用规则,可以放到一个或者多个头文件中。主的rule yaml文件引入即可。文件名随意,最好别用yaml后缀,要不会被当做一个rule。另外import在rule文件中只能出现一次。多个头文件的话可以import文件中引入另外一个import。
示例:
主的myrule.yaml:
import: inc_es.inc name: hs_server_ahc_task system error type: frequency # (Required) # Index to search, wildcard supported index: hs_server_ahc_task* # (Required, frequency specific) # Alert when this many documents matching the query occur within a timeframe num_events: 1 # (Required, frequency specific) # num_events must occur within this amount of time to trigger an alert timeframe: hours: 1 #import: inc_time_field.inc filter: - terms: "Level": ["fatal", "error"] alert_subject: "Alert: System {0} occurred {1} times." alert_subject_args: - Level - "num_hits"
被import的 inc_es.inc 文件:
es_host: 10.10.21.77 # (Optional) # Elasticsearch port es_port: 9200 attach_related: true use_kibana4_dashboard: https://nodejsgbl.italkbb.com/kibana/app/kibana#/dashboard/3bde48d0-9880-11e9-b5d5-2df46b09dea6 email_format: html import: inc_mail.inc
这个又引入 mail.inc
alert: - "email" email: - "bin.zhi@net263.com" #- "zhibingoo@163.com" #- "fsha@net263.com" #- "tiezhou.wei@net263.com" smtp_host: smtp.263.net smtp_port: 25 smtp_auth_file: ../smtp_auth_file.yaml email_reply_to: No.reply@net263.com from_addr: ElastAlert@net263.com #cc: bin.zhi@net263.com
运行:
elastalert --config ../config.yaml --rule hs_ahc_task.yaml --verbose --start 2019-06-27T08:45 --end 2019-06-27T09:55