python3.6-Yelp/elastalert0.2.1-elk7.2.0邮件加企业微信告警

0.修改时区(前提条件已经安装好elk7.2)

rm -f /etc/localtime
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
timedatectl set-timezone Asia/Shanghai

1.升级python

# 安装依赖
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel
# 获取编译安装python3.6.9
mkdir -p /usr/local/python3
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz
tar xf Python-3.6.9.tgz
cd Python-3.6.9
./configure --prefix=/usr/local/python3
make && make install
ln -s /usr/local/python3/bin/python-3.6.9/bin/python3.6 /usr/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/bin/pip3

2.安装virtualenv虚拟环境

pip3 install virtualenv
# 创建存放虚拟环境的目录
mkdir -p  /usr/local/venv_py3.6_elastalert-0.2.1

# 创建纯净的虚拟环境
cd /usr/local
git clone https://github.com/Yelp/elastalert.git
cd /usr/local/elastalert

/usr/local/python3/bin/virtualenv --no-site-packages --python=/usr/local/python3/bin/python3.6 /usr/local/venv_py3.6_elastalert-0.2.1
[root@eus-kibana-elastalert-01:/usr/local/venv_py3.6_elastalert-0.2.1]# source bin/activate
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/venv_py3.6_elastalert-0.2.1]#

3.在虚拟的python3.6环境中安装alasticalert

# 指定库，安装依赖，否则可能安装失败
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# pip install -r requirements.txt -i https://pypi.python.org/simple
# 安装主程序，否则无法使用 elastalert-create-index 命令
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# python setup.py install
# 运行 elastalert-create-index 配置
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# elastalert-create-index

4.elastalert的主配置

[root@rbtnode1 elastalert]# cat config.yaml
rules_folder: example_rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: 192.168.1.156
es_port: 9200
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 2

6.用邮箱发告警的规则

[root@rbtnode1 example_rules]# cat my_rule.yaml|egrep -v '^#'
es_host: 192.168.1.156
es_port: 9200
name: eus-log-elasticsearch-cluster-alert
type: frequency
index: syslog*
num_events: 5
timeframe:
 # hours: 在多长时间内
 minutes: 1

filter:
- query_string:
    query: "message: hello"
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: /opt/elastalert/smtp_auth.yaml
email_reply_to: linux1634@163.com
from_addr: linux1634@163.com
alert:
- "email"
email:
- "linux163@163.com"

邮箱账户密码：

[root@rbtnode1 example_rules]# cat /opt/elastalert/smtp_auth.yaml　　　　　　　　
user: "linux1634@163.com"
password: "hahahhahaha"  授权码
参考：https://www.cnblogs.com/reblue520/p/11539956.html　

7.用企业微信告警
cd /usr/local/elastalert/elastalert_modules/

wget https://raw.githubusercontent.com/anjia0532/elastalert-wechat-plugin/master/elastalert_modules/wechat_qiye_alert.py

touch __init__.py
修改wechat_qiye_alert.py

3    from MyEncoder import MyEncoder
126  response = requests.post(send_url, data=json.dumps(payload, cls=MyEncoder, indent=4, ensure_ascii=False), headers=headers)  #修改后

8.添加一个类,处理因python2，python3不兼容导致的：TypeError: Object of type 'bytes' is not JSON serializable

cd /usr/local/venv_py3.6_elastalert-0.2.1/lib/python3.6/site-
packages
(venv_py3.6_elastalert-0.2.1) [root@rbtnode1 site-packages]# cat MyEncoder.py
import json
class MyEncoder(json.JSONEncoder):
     def default(self, obj):
         if isinstance(obj, bytes):
            return str(obj, encoding='utf-8')
         return json.JSONEncoder.default(self, obj)

cp MyEncoder.py  /usr/local/venv_py3.6_elastalert-0.2.1/lib/

cp MyEncoder.py  /usr/local/venv_py3.6_elastalert-0.2.1/lib/python3.6/

8.企业微信告警规则

(venv_py3.6_elastalert-0.2.1) [root@rbtnode1 example_rules]# cat my_rule.yaml|egrep -v '^$'
es_host: 192.168.1.156
es_port: 9200
name: "eus-log-elasticsearch-cluster-alert"
use_ssl: False
type: frequency
index: syslog*
num_events: 1
timeframe:
  hours: 4
filter:
- query_string:
    query: "message: hello"
alert:
- "elastalert_modules.wechat_qiye_alert.WeChatAlerter"
alert_text_args:
  - message
corp_id: "wwwdbe2b483965af612"
secret: "6gAuFwoAvGvshiZ6RUsaL6mfobiBi3JPkO99sxw21cLw"
agent_id: 1000003
party_id: "1"
user_id: "@all"
#tag_id: ""

 参考：

https://blog.csdn.net/xiaohuo0930/article/details/90373181

https://anjia0532.github.io/2017/02/16/elastalert-wechat-plugin/

https://github.com/anjia0532/elastalert-wechat-plugin

https://github.com/anjia0532/elastalert-wechat-plugin/issues/2

http://www.appblog.cn/2019/11/23/ELK%207.x%20--%20elastalert%20%E4%BC%81%E4%B8%9A%E5%BE%AE%E4%BF%A1%E5%91%8A%E8%AD%A6/