0.修改时区(前提条件已经安装好elk7.2)
rm -f /etc/localtime
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
timedatectl set-timezone Asia/Shanghai
1.升级python
# 安装依赖 yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel # 获取编译安装python3.6.9 mkdir -p /usr/local/python3 wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz tar xf Python-3.6.9.tgz cd Python-3.6.9 ./configure --prefix=/usr/local/python3 make && make install ln -s /usr/local/python3/bin/python-3.6.9/bin/python3.6 /usr/bin/python3 ln -s /usr/local/python3/bin/pip3 /usr/bin/pip3
2.安装virtualenv虚拟环境
pip3 install virtualenv # 创建存放虚拟环境的目录 mkdir -p /usr/local/venv_py3.6_elastalert-0.2.1 # 创建纯净的虚拟环境 cd /usr/local git clone https://github.com/Yelp/elastalert.git cd /usr/local/elastalert /usr/local/python3/bin/virtualenv --no-site-packages --python=/usr/local/python3/bin/python3.6 /usr/local/venv_py3.6_elastalert-0.2.1 [root@eus-kibana-elastalert-01:/usr/local/venv_py3.6_elastalert-0.2.1]# source bin/activate (venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/venv_py3.6_elastalert-0.2.1]#
3.在虚拟的python3.6环境中安装alasticalert
# 指定库,安装依赖,否则可能安装失败 (venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# pip install -r requirements.txt -i https://pypi.python.org/simple # 安装主程序,否则无法使用 elastalert-create-index 命令 (venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# python setup.py install # 运行 elastalert-create-index 配置 (venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# elastalert-create-index
4.elastalert的主配置
[root@rbtnode1 elastalert]# cat config.yaml rules_folder: example_rules run_every: minutes: 1 buffer_time: minutes: 15 es_host: 192.168.1.156 es_port: 9200 writeback_index: elastalert_status writeback_alias: elastalert_alerts alert_time_limit: days: 2
6.用邮箱发告警的规则
[root@rbtnode1 example_rules]# cat my_rule.yaml|egrep -v '^#' es_host: 192.168.1.156 es_port: 9200 name: eus-log-elasticsearch-cluster-alert type: frequency index: syslog* num_events: 5 timeframe: hours: 4 filter: - query_string: query: "message: hello" smtp_host: smtp.163.com smtp_port: 25 smtp_auth_file: /opt/elastalert/smtp_auth.yaml email_reply_to: linux1634@163.com from_addr: linux1634@163.com alert: - "email" email: - "linux163@163.com"
邮箱账户密码:
[root@rbtnode1 example_rules]# cat /opt/elastalert/smtp_auth.yaml user: "linux1634@163.com" password: "hahahhahaha" 授权码
参考:https://www.cnblogs.com/reblue520/p/11539956.html