ElastAlert
ElastAlert 是 Yelp 公司开源的一套用 Python2.6 写的报警框架。属于后来 Elastic.co 公司出品的 Watcher 同类产品。官网地址见:http://elastalert.readthedocs.org/。
当我们把ELK搭建好后,也顺利的收集到日志了,但是日志里发生了什么事,我们并不能第一时间知道日志里到底发生了什么,运维需要第一时间知道日志发生了什么事,所以就有了ElastAlert的邮件报警,如下是详细操作
环境
Centos 7.0
elasticsearch 5.2.2
logstash 5.2.2
kibana 5.2.2
依赖
参见 http://elastalert.readthedocs.io/en/latest/running_elastalert.html#requirements
Elasticsearch
ISO8601 or Unix timestamped data
Python 2.6 or 2.7
pip, see requirements.txt
1,下载最新elastalert并安装模块
# yum install python-setuptools
# git clone https://github.com/Yelp/elastalert.git
# cd elastalert
# pip install -U setuptools
# python setup.py install
# pip install -r requirements.txt
2,设置配置文件和规则Rule
[root@localhost ~]# cd /usr/local/elastalert/
[root@localhost elastalert]# cp config.yaml.example config.yaml
[root@localhost elastalert]# vim config.yaml
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: es_rules
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 15
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: 192.168.0.33
# The Elasticsearch port
es_port: 9200
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to Elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
3,发送邮件的邮箱设置
[root@localhost elastalert]# vim example_rules/smtp_auth_file.yaml
user: [email protected]
password: xxx
4,配置规则
[root@iZ6232hr6ksZ elastalert]# vim example_rules/example_frequency.yaml
# Alert when the rate of events exceeds a threshold
# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com
# (Optional)
# Elasticsearch port
# es_port: 14900
# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: Example rule
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: logstash-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
#限定时间内,发生事件次数
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
#限定时间刻度
timeframe:
# hours: 4
#1分钟
minutes: 1
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
#这条是发现日志中有ERROR的字段,就发邮件报警,这段很重要,如果写错了就会报错
- query:
match:
message:
query: "ERROR"
#SMTP协议的邮件服务器相关配置
smtp_host: smtp.exmail.qq.com
smtp_prot: 25
#用户认证文件,需要user和password两个属性
smtp_auth_file: /usr/local/elastalert/example_rules/smtp_auth_file.yaml
#回复给那个邮箱
email_reply_to: [email protected]
#从哪个邮箱发送
from_addr: [email protected]
# (Required)
# The alert is use when a match is found
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
#接收报警邮件的邮箱
5,测试规则
[root@localhost elastalert]#nohup python -m elastalert.elastalert --verbose --rule example_rules/example_frequency.yaml
6,检测邮件情况
邮件已收到 ,当日志中发现有ERROR都会发邮件报警!