流程:
elastalert读取指定elasticsearch索引,根据规则匹配,如果匹配到就发邮件报警
安装elastalert
python必须得2.7以上
$ cd /alidata1
$ git clone https://github.com/Yelp/elastalert.git
$ sudo python setup.py install
$ sudo pip install -r requirements.txt
设置elastalert索引
$ elastalert-create-index
New index name (Default elastalert_status)
Name of existing index to copy (Default None)
New index elastalert_status created
Done!
设置配置文件
cp /alidata1/elastalert/config.yaml.example /alidata1/elastalert/config.yaml
vim /alidata1/elastalert/config.yaml
rules_folder: example_rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 127.0.0.1
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
设置规则
[root@elk-node-1 elastalert]# cat example_rules/api3_err_rule.yaml | grep -v "#"| grep -v "^;"|grep -v "^$"
name: api3_error
type: frequency
index: api3_error* #监控这个索引
num_events: 3 #限定时间内,发生时间次数
timeframe: #下定时间 ,跟上边的合起来就是一分钟有三个错误日志写进es的话,就发送邮件
minutes: 1
filter:
- regexp: #以正则方式匹配,".*"就是一有日志写进es就算
message: ".*"
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: /alidata1/elastalert/smtp_auth_file.yaml #这个文件里写发送邮件的账户密码
email_reply_to: xxxxx@163.com
from_addr: xxxxx@163.com
alert:
- "email"
email:
- "zhai.junming@xxxxx.cn"
smtp_auth_file.yaml
user: "xxxxx@163.com"
password: "123456"
启动elastalert
$ cd /alidata1
$ python -m elastalert.elastalert --config /alidata1/elastalert/config.yaml --verbose --rule /alidata1/elastalert/example_rules/api3_err_rule.yaml
INFO:elastalert:Queried rule api3_error from 2017-12-01 18:00 CST to 2017-12-01 18:02 CST: 4 / 4 hits
INFO:elastalert:Sent email to ['zhai.junming@xxx.cn']