ElastAlert

   ElastAlert 是 Yelp 公司开源的一套用 Python2.6 写的报警框架。属于后来 Elastic.co 公司出品的 Watcher 同类产品。官网地址见:http://elastalert.readthedocs.org/

   当我们把ELK搭建好后,也顺利的收集到日志了,但是日志里发生了什么事,我们并不能第一时间知道日志里到底发生了什么,运维需要第一时间知道日志发生了什么事,所以就有了ElastAlert的邮件报警,如下是详细操作

环境

Centos 7.0

elasticsearch 5.2.2

logstash 5.2.2

kibana 5.2.2

依赖

参见 http://elastalert.readthedocs.io/en/latest/running_elastalert.html#requirements

  • Elasticsearch

  • ISO8601 or Unix timestamped data

  • Python 2.6 or 2.7

  • pip, see requirements.txt

1,下载最新elastalert并安装模块

# yum install python-setuptools

# git clone https://github.com/Yelp/elastalert.git

# cd elastalert

# pip install -U setuptools

# python setup.py install

# pip install -r requirements.txt  

2,设置配置文件和规则Rule

[root@localhost ~]# cd /usr/local/elastalert/

[root@localhost elastalert]# cp config.yaml.example config.yaml

[root@localhost elastalert]# vim config.yaml

# This is the folder that contains the rule yaml files

# Any .yaml file will be loaded as a rule

rules_folder: es_rules

# How often ElastAlert will query Elasticsearch

# The unit can be anything from weeks to seconds

run_every:

  minutes: 1

# ElastAlert will buffer results from the most recent

# period of time, in case some log sources are not in real time

buffer_time:

  minutes: 15

# The Elasticsearch hostname for metadata writeback

# Note that every rule can have its own Elasticsearch host

es_host: 192.168.0.33

# The Elasticsearch port

es_port: 9200

# The AWS region to use. Set this when using AWS-managed elasticsearch

#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.

# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

# for details

#profile: test

# Optional URL prefix for Elasticsearch

#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch

#use_ssl: True

# Verify TLS certificates

#verify_certs: True

# GET request with body is the default option for Elasticsearch.

# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.

# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport

# for details

#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch

#es_username: someusername

#es_password: somepassword

# The index on es_host which is used for metadata storage

# This can be a unmapped index, but it is recommended that you run

# elastalert-create-index to set a mapping

writeback_index: elastalert_status

# If an alert fails for some reason, ElastAlert will retry

# sending the alert until this time period has elapsed

alert_time_limit:

  days: 2

 

3,发送邮件的邮箱设置

[root@localhost elastalert]# vim example_rules/smtp_auth_file.yaml 

user: [email protected]

password: xxx

4,配置规则

 [root@iZ6232hr6ksZ elastalert]# vim example_rules/example_frequency.yaml

 # Alert when the rate of events exceeds a threshold

# (Optional)

# Elasticsearch host

# es_host: elasticsearch.example.com

# (Optional)

# Elasticsearch port

# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch

#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch

#es_username: someusername

#es_password: somepassword

# (Required)

# Rule name, must be unique

name: Example rule

# (Required)

# Type of alert.

# the frequency rule type alerts when num_events events occur with timeframe time

type: frequency

# (Required)

# Index to search, wildcard supported

index: logstash-*

# (Required, frequency specific)

# Alert when this many documents matching the query occur within a timeframe

#限定时间内,发生事件次数

num_events: 1

# (Required, frequency specific)

# num_events must occur within this amount of time to trigger an alert

#限定时间刻度

timeframe:

 # hours: 4

 #1分钟

  minutes: 1

# (Required)

# A list of Elasticsearch filters used for find events

# These filters are joined with AND and nested in a filtered query

# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

filter:

#这条是发现日志中有ERROR的字段,就发邮件报警,这段很重要,如果写错了就会报错

- query:

    match:

      message:

        query: "ERROR"  

#SMTP协议的邮件服务器相关配置

smtp_host: smtp.exmail.qq.com

smtp_prot: 25

#用户认证文件,需要user和password两个属性

smtp_auth_file: /usr/local/elastalert/example_rules/smtp_auth_file.yaml

#回复给那个邮箱

email_reply_to: [email protected]

#从哪个邮箱发送

from_addr: [email protected]

# (Required)

# The alert is use when a match is found

alert:

- "email"

# (required, email specific)

# a list of email addresses to send alerts to

email:

#接收报警邮件的邮箱

- "[email protected]"

5,测试规则

[root@localhost elastalert]#nohup python -m elastalert.elastalert --verbose --rule example_rules/example_frequency.yaml

wKiom1jseHuyfkYCAAB7oelS_fg983.png-wh_50

6,检测邮件情况

Elasticsearch 基于ElastAlert发送邮件报警_第1张图片

邮件已收到 ,当日志中发现有ERROR都会发邮件报警!