elastalert搭建

elastalert搭建过程

在服务器上搭建python3.6环境

• 编译安装

# wget http://mirrors.sohu.com/python/3.6.0/Python-3.6.0.tgz

## 安装编译依赖包
# yum install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gcc make

## 编译安装
# tar -zxvf  Python-3.6.0
# cd Python-3.6.0
# ./configure --prefix=/usr/local/python36　　　　　　//编译存放路径至“/usr/local/python36”
# make && make install

• yum 安装

## 安装EPEL和IUS软件源
# yum install epel-release -y
# yum install https://centos7.iuscommunity.org/ius-release.rpm -y

## 安装Python3.6
# yum install python36u -y
# yum install python36u-devel -y

## 创建python3连接符
# ln -s /bin/python3.6 /bin/python3

## 安装pip3
# yum install python36u-pip -y

## 创建pip3链接符
# ln -s /bin/pip3.6 /bin/pip3

无法访问互联网情况下如何安装模块

• 使用上面的 编译安装 在内网主机和自建的虚拟机上安装python

• 自建虚拟机上下载模块

## 下载单个安装包
## pip3 download pakeage_namq -d /path/file/ -i https://pypi.tuna.tsinghua.edu.cn/simple/
# pip3 download xlwt pymysql -d ./pip_pakeage/ -i https://pypi.tuna.tsinghua.edu.cn/simple/

## 根据requirements下载安装包
## pip3 download -r requiremetns.txt -d /path/file/ -i https://pypi.tuna.tsinghua.edu.cn/simple/
# pip3 download -r requirements.txt -d ./pip_pakeage/ -i https://pypi.tuna.tsinghua.edu.cn/simple/

• 内网主机上安装模块

## 安装单个模块包
## pip3 install file:///path/filename
# pip3 install file:///tmp/pip_pakeage/xlwt-1.3.0-py2.py3-none-any.whl

## 安装 requirements 下载安装包
# pip3 install --no-index --find-links=/tmp/pip_pakeage/ -r /data/filename/requirements.txt

elastalert下载安装

在https://github.com/Yelp/elastalert上下载源码

# cd /opt/
# git clone https://github.com/Yelp/elastalert.git
# cd elastalert/
# python3 ./setup.py install --dry-run  ## 测试是否能直接安装成功
# python3 ./setup.py install

elastalert配置方法

• 配置config.yaml

# cp config.yaml.example config.yaml
# vim config.yaml
----------------------------------------------
rules_folder: /opt/elastalert/rules
run_every:
  seconds: 60
buffer_time:
  minutes: 3
es_host: 172.16.1.1
es_port: 9200
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 2

• 配置rule规则

# mkdir rules
# cp example_rules/example_frequency.yaml /opt/elastalert/rules/frequency.yaml
# vim /opt/elastalert/rules/frequency.yaml
-------------------------------------------------------------
name: API not 200
index: sg-access-*
type: frequency
num_events: 20
timeframe:
  minutes: 1
filter:
- query:
    query_string:
      query: "NOT statusCode: 200"
- query:
    query_string:
      query: "NOT statusCode: 302"
- query:
    query_string:
      query: "NOT directBackServer: 127.0.0.1"

alert:
  - command

command: ["python3", /opt/elastalert/weixin.py", "生产环境报警，报警:", "接口{orgPathName} 出现状态码{statusCode}频率高！","服务 IP: {directBackServer}; 服务端口：{port}"]

其他配置方式参考官网：https://elastalert.readthedocs.io/en/latest/

编写报警脚本

#!/usr/bin/env python3
# _*_coding:utf-8 _*_

import urllib.request
import json
import sys
import simplejson


def gettoken(corpid, corpsecret):
    gettoken_url = 'https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=' + corpid + '&corpsecret=' +corpsecret
    print(gettoken_url)
    try:
        token_file = urllib.request.urlopen(gettoken_url)
    except urllib.request.HTTPError as e:
        print(e.code)
        print(e.read().decode("utf8"))
        sys.exit()
    token_data = token_file.read().decode('utf-8')
    token_json = json.loads(token_data)
    token_json.keys()
    token = token_json['access_token']
    return token


def senddata(access_token, subject, content, server):
    send_url = 'https://qyapi.weixin.qq.com/cgi-bin/message/send?access_token=' + access_token
    send_values = {
        "touser": "@all",          # 企业号中的用户帐号，在zabbix用户 Media中配置，如果配置不正常，将按部门发送。
        "toparty": "ID",           # 企业号中的部门id。
        "msgtype": "text",         # 消息类型。
        "agentid": "1000001",      # 企业号中的应用id。
        "text": {
            "content": str(subject + '

' + content + '
' + server)
        },
        "safe": "0",
    }
    send_data = simplejson.dumps(send_values, ensure_ascii=False).encode('utf-8')
    send_request = urllib.request.Request(send_url, send_data)
    response = json.loads(urllib.request.urlopen(send_request).read())
    print(str(response))


def senddata_report(subject, content, server):
    send_url = 'https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ'
    send_values = {
        "msgtype": "text",
        "text": {
            "content": str(subject + '

' + content + '
' + server)
        }
    }
    send_data = simplejson.dumps(send_values, ensure_ascii=False).encode('utf-8')
    send_request = urllib.request.Request(send_url, send_data)
    response = json.loads(urllib.request.urlopen(send_request).read())
    print(str(response))


if __name__ == '__main__':
    try:
        subject = str(sys.argv[1])
        content = str(sys.argv[2])
        server = str(sys.argv[3])
    except IndexError:
        print('需要传3个参数')
    else:
        corpid = 'XXXXXXXXXXXXXXXXXXXXXXXX'   # 企业号的标识
        corpsecret = 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY'    # 管理组凭证密钥
        accesstoken = gettoken(corpid, corpsecret)
        # senddata(accesstoken, subject, content, server)
        senddata_report(subject, content, server)

启动服务

• 调用接口向ES中创建索引

# elastalert-create-index elastalert-test-rule --config /opt/elastalert/config.yaml  /opt/elastalert/rules/frequency.yaml

• 启动服务前测试服务配置正常

# elastalert-test-rule --config /opt/elastalert/config.yaml  /opt/elastalert/rules/frequency.yaml

• 启动服务前测试报警功能正常

# elastalert-test-rule --config /opt/elastalert/config.yaml  /opt/elastalert/rules/frequency.yaml --alert

• 后台启动服务

nohup python -m elastalert.elastalert  --config /opt/elastalert/config.yaml --rule /opt/elastalert/rules/frequency.yaml >> /opt/elastalert/elastalert.log 2>&1 &