前言
最近想在 ELK 基础上,临时搭一个告警系统,这里介绍有关 elastalert 的安装及使用。
安装
参考官方安装说明:
git clone https://github.com/bitsensor/elastalert.git; cd elastalert
docker run -d -p 3030:3030 \
-v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
-v `pwd`/config/elastalert-test.yaml:/opt/elastalert/config-test.yaml \
-v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
-v `pwd`/rules:/opt/elastalert/rules \
-v `pwd`/rule_templates:/opt/elastalert/rule_templates \
--name elastalert bitsensor/elastalert:latest
docker run
之前,我修改了 elastalert.yaml 和 config.json 的 es_host 配置(默认是localhost
)
规则
参考官方规则文档,在 rules 目录下添加 test.yaml 规则,如下所示:
# Rule name, must be unique
name: web request status
# Type of alert.
#type: spike
type: frequency
# num_events must occur within this amount of time to trigger an alert
# 在5m内,查到的数量多于20,曾触发报警
timeframe:
minutes: 5
num_events: 20
# Index to search, wildcard supported
# 索引和时间filed
index: edu.pd.log.access-*
timestamp_field: "@timestamp"
# 匹配规则
filter:
- query:
query_string:
query: "response_status: 200"
#- query:
# term:
# response_status:
# value: 200
# 邮件标题
alert_subject: "Surge in attacks on {}"
alert_subject_args:
- http_host
# 邮件内容
alert_text_type: alert_text_only
alert_text: "Surge in attacks on {}"
alert_text_args:
- host
# The alert is use when a match is found
alert:
- "email"
email:
- "290557551@qq.com"
smtp_host: smtp.qq.com
smtp_ort: 465
smtp_ssl: true
smtp_auth_file: /opt/elastalert/rule_templates/email_auth.yaml
from_addr: 290557551@qq.com
API
查看版本信息
查看加载的规则
查看某个具体规则
还可通过 API,动态增删改规则
ELK
elastalert 会将日志存入 es 的 elastalert_status index 中
在 Kibana 创建 elastalert index,可图形化查看相关信息
邮件
邮件接收成功,可修改配置,丰富邮件内容。
参考文档
elastalert 安装文档
elastalert API文档
elastalert 官方文档
elastalert 规则文档