0.修改时区(前提条件已经安装好elk7.2)

rm -f /etc/localtime
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
timedatectl set-timezone Asia/Shanghai

1.升级python

# 安装依赖
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel
# 获取编译安装python3.6.9
mkdir -p /usr/local/python3
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz
tar xf Python-3.6.9.tgz
cd Python-3.6.9
./configure --prefix=/usr/local/python3
make && make install
ln -s /usr/local/python3/bin/python-3.6.9/bin/python3.6 /usr/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/bin/pip3

2.安装virtualenv虚拟环境

pip3 install virtualenv
# 创建存放虚拟环境的目录
mkdir -p  /usr/local/venv_py3.6_elastalert-0.2.1

# 创建纯净的虚拟环境
cd /usr/local
git clone https://github.com/Yelp/elastalert.git
cd /usr/local/elastalert

/usr/local/python3/bin/virtualenv --no-site-packages --python=/usr/local/python3/bin/python3.6 /usr/local/venv_py3.6_elastalert-0.2.1
[root@eus-kibana-elastalert-01:/usr/local/venv_py3.6_elastalert-0.2.1]# source bin/activate
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/venv_py3.6_elastalert-0.2.1]#

3.在虚拟的python3.6环境中安装alasticalert

# 指定库，安装依赖，否则可能安装失败
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# pip install -r requirements.txt -i https://pypi.python.org/simple
# 安装主程序，否则无法使用 elastalert-create-index 命令
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# python setup.py install
# 运行 elastalert-create-index 配置
(venv_py3.6_elastalert-0.2.1) [root@eus-kibana-elastalert-01:/usr/local/elastalert]# elastalert-create-index

4.elastalert的主配置

[root@rbtnode1 elastalert]# cat config.yaml
rules_folder: example_rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: 192.168.1.156
es_port: 9200
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 2

6.用邮箱发告警的规则

[root@rbtnode1 example_rules]# cat my_rule.yaml|egrep -v '^#'
es_host: 192.168.1.156
es_port: 9200
name: eus-log-elasticsearch-cluster-alert
type: frequency
index: syslog*
num_events: 5
timeframe:
  hours: 4
filter:
- query_string:
    query: "message: hello"
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: /opt/elastalert/smtp_auth.yaml
email_reply_to: linux1634@163.com
from_addr: linux1634@163.com
alert:
- "email"
email:
- "linux163@163.com"

邮箱账户密码：

[root@rbtnode1 example_rules]# cat /opt/elastalert/smtp_auth.yaml
user: "linux1634@163.com"
password: "hahahhahaha"  授权码
参考：https://www.cnblogs.com/reblue520/p/11539956.html