ElastAlert告警搭建
ElastAlert钉钉告警
基础环境
服务器安装Python3.6.9
先查看下机器py版本,如果是3.6,则执行以下
apt -y install wget openssl openssl-devel gcc gcc-c++
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz
tar xf Python-3.6.9.tgz
cd Python-3.6.9
./configure --prefix=/usr/local/python --with-openssl
make && make install
mv /usr/bin/python /usr/bin/python_old
ln -s /usr/local/python/bin/python3 /usr/bin/python
ln -s /usr/local/python/bin/pip3 /usr/bin/pip
pip install --upgrade pip
sed -i '1s/python/python2.7/g' /usr/bin/yum
sed -i '1s/python/python2.7/g' /usr/libexec/urlgrabber-ext-down
python -V
显示为3.6.9
从GitHub上拉取源码至本地
进入opt文件夹创建Dingtalk_ElastAlert文件夹
mkdir -p /opt/Dingtalk_ElastAlert
cd /opt/Dingtalk_ElastAlert
从GitHub上拉取源码至本地
git clone https://github.com/Yelp/elastalert.git
下载钉钉报警模块至本地
wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip
配置钉钉机器人,复制其webhook
钉钉告警模块为elastalert_modules
安装ElastAlert
进入Dingtalk_ElastAlert文件后
编写项目配置脚本start.sh
#!/bin/bash
cd /opt/dingtalk_elastalert/elastalert/
python setup.py install
pip3 install --upgrade pip
pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
mkdir dingding
cd dingding
mv /opt/dingtalk_elastalert/master.zip .
apt install unzip
unzip master.zip
cd elastalert-dingtalk-plugin-master
pip3 install pyOpenSSL==16.2.0 -i https://pypi.tuna.tsinghua.edu.cn/simple
pip3 install setuptools==46.1.3 -i https://pypi.tuna.tsinghua.edu.cn/simple
cd /opt/dingtalk_elastalert/elastalert/
cp -r /opt/dingtalk_elastalert/elastalert/dingding/elastalert-dingtalk-plugin-master/elastalert_modules/ /opt/dingtalk_elastalert/elastalert/
cd /opt/dingtalk_elastalert/elastalert/
cp -r example_rules rules
cp config.yaml.example config.yaml
修改config配置文件
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
#指定告警文件存放位置
rules_folder: rules
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
#设置向ES发送请求的时间
run_every:
seconds: 5
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
#用来设置请求里时间字段的范围 时间为1分钟
buffer_time:
minutes: 1
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
#设置ES地址
es_host: es_ip
# The Elasticsearch port
#设置ES的端口
es_port: 9200
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to Elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
#logging:
# version: 1
# incremental: false
# disable_existing_loggers: false
# formatters:
# logline:
# format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
#
# handlers:
# console:
# class: logging.StreamHandler
# formatter: logline
# level: DEBUG
# stream: ext://sys.stderr
#
# file:
# class : logging.FileHandler
# formatter: logline
# level: DEBUG
# filename: elastalert.log
#
# loggers:
# elastalert:
# level: WARN
# handlers: []
# propagate: true
#
# elasticsearch:
# level: WARN
# handlers: []
# propagate: true
#
# elasticsearch.trace:
# level: WARN
# handlers: []
# propagate: true
#
# '': # root logger
# level: WARN
# handlers:
# - console
# - file
# propagate: false
编写钉钉告警文件的告警规则
#规则的唯一名称。如果相同,则elastalert不会启动。
name: Message警报
#数据验证方式(规则类型)
type: frequency
#要查询的索引名称。默认logstash-*
index: mimo-*
#定时向ES发请求
num_events: 1
timeframe:
minutes: 24
#query查询语法,将需要匹配的信息给匹配
filter:
- query:
query_string:
query: "Message: 500.jsp"
#每个匹配项上运行的警报列表。
alert:
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"
#钉钉机器人的webhook值
dingtalk_webhook: "钉钉机器人webhoobk"
dingtalk_msgtype: text
编写Dockerfile进行镜像封装
#将项目文件,启动脚本,钉钉告警模块共同大打包镜像
FROM python:3.6.9
COPY ./elastalert /opt/dingtalk_elastalert/elastalert
COPY ./start.sh /opt/dingtalk_elastalert/
COPY ./master.zip /opt/dingtalk_elastalert/
RUN sh /opt/dingtalk_elastalert/start.sh
WORKDIR /opt/dingtalk_elastalert/elastalert/
EXPOSE 3030
docker镜像打包
docker build -t dingtalk_elastalert .
编写docker-compose.yml文件启动dingtalk_elastalert容器
#使用主机网络
#在容器中通过elastalert-test-rule验证钉钉告警配置文件是否正确
#通过python -m elastalert.elastalert --config ./config.yaml --rule ./rules/api_error.yaml启动项目
#将rules(告警规则)挂载
#将congif配置文件进行挂载
version: '3'
services:
dingtalk_elastalert:
image: dingtalk_elastalert:latest
container_name: dingtalk_elastalert
command:
- sh
- -c
- |
# tail -f /dev/null
pip3 install cryptography
elastalert-test-rule rules/api_error.yaml
python -m elastalert.elastalert --config ./config.yaml --rule ./rules/api_error.yaml
volumes:
- ./rules:/opt/dingtalk_elastalert/elastalert/rules
- ./config.yaml:/opt/dingtalk_elastalert/elastalert/config.yaml
network_mode: "host"
启动容器
docker-compose up -d && docker-compose logs -f
观察日志是否有采集到日志,查看是否报错