一、前言
ElastAlert 是一个简单的框架,用于从 Elasticsearch 中的数据中发出异常,或其他感兴趣模式的警报。我们可以在地址https://elastalert.readthedocs.io/en/latest/elastalert.html找到它的使用说明。在今天的教程中,我将一步一步地介绍如何搭配环境,并从 Elasticsearch 发送通知给钉钉
二、架构图
三、安装 ElastAlert
1、安装python3.8
自行百度搜索相关python安装,此处略
2、下载 elastalert 源码:
yum -y install git git clone https://github.com/Yelp/elastalert.git 安装模块 pip3 install "setuptools>=11.3" python3 setup.py install pip3 install -U PyYAML 根据 Elasticsearch 的版本,你可能需要手动安装正确版本的 elasticsearch-py pip3 install "elasticsearch>=5.0.0" 这样我们的安装工作就完成了。
四、安装elastalert-dingtalk-plugin
下载 cd /usr/lcal/elastalert wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip unzip master.zip cd elastalert-dingtalk-plugin/
需要修改两个文件config.yaml和rules/api_error.yaml
cat config.yaml
# This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: rules # How often ElastAlert will query Elasticsearch # The unit can be anything from weeks to seconds # 查询es的频率 run_every: minutes: 5 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time # buffer_time: minutes: 5 # The Elasticsearch hostname for metadata writeback # Note that every rule can have its own Elasticsearch host es_host: 10.52.38.168 # The Elasticsearch port es_port: 9200 # The AWS region to use. Set this when using AWS-managed elasticsearch #aws_region: us-east-1 # The AWS profile to use. Use this if you are using an aws-cli profile. # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html # for details #profile: test # Optional URL prefix for Elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to Elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass ‘GET‘, ‘POST‘ or ‘source‘. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for Elasticsearch es_username: "elastic" es_password: "haZZS*XGz" # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 2
cat rules/api_error.yaml
name: prod存在"ERROR","Exception"关键字日志,请登陆kibana及时查看,地址:http://152.32.142.164:5601/ type: frequency index: erp-cod-prod_zooqeer-service-log* #在一个时间范围内出现这么多与查询匹配的文档时发出警报 num_events: 1 #5分钟发一次 timeframe: minutes: 5 filter: - query: query_string: query: "ERROR" query_string: query: "Exception" #只需要的字段 https://elastalert.readthedocs.io/en/latest/ruletypes.html#include include: ["method", "url_path", "url_args", "status", "request_time"] alert: - "elastalert_modules.dingtalk_alert.DingTalkAlerter" #dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=11dd40a2482d889c45a2c16ee3cefea5c1fa7368f8841fdf98bf95d571c98dc9" dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=3c7a159c14cf39f0b8e9bd26806d3a96831e4b843c2d5123ccc5eeb232520f11" dingtalk_msgtype: "text" #钉钉智能机器人的关键字 content: elk
设置完,就可以运行了
nohup python3 -m elastalert.elastalert --verbose --rule rules/api_error.yaml &