Elasticsearch----Elastalert

一、 官方文档

https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html

 

二、 安装

yum -y install gcc libffi-devel python-devel openssl-devel4

echo 'export PATH=$PATH:/usr/local/python3/bin' >> /etc/profile

source /etc/profile

git clone https://github.com/Yelp/elastalert.git

cd elastalert

pip3 install setuptools

pip3 install -r requirements.txt

pip3 install -r requirements-dev.txt

python3 setup.py install

cd elastalert    # 注意，是elastalert/elastalert/

python3 create_index.py --config ../config.yaml --host es_host --port ex_post --username es_username --password es_password --no-ssl --no-verify-certs

 

三、 修改配置文件

cd ..

cp config.yaml.example config.yaml

修改 config.yml

rules_folder: /workspace/services/elastalert/rules

run_every:

  minutes: 1

buffer_time:

  minutes: 15

es_host: 127.0.0.1

es_port: 9200

use_ssl: False

verify_certs: False

es_send_get_body_as: GET

es_username: ${username}

es_password: ${password}

writeback_index: elastalert_status

alert_time_limit:

  days: 2

 

四、 创建rules

cp -r example_rules/ rules/

cd rules/

cp example_frequency.yaml runtime_error.yaml

修改runtime_error.yaml

es_host: 127.0.0.1

es_port: 9200

es_username: ${username}

es_password: ${password}

use_ssl: False

name: ${name}

type: frequency

index: ${index_regex}

num_events: 10

timeframe:

  # minutes: 30

  hours: 1

filter:

- query:

    query_string:

      query: "level: INFO"

alert_text_args:

  - name

  - num_hits

  - message

smtp_host: "${smtp_domain}"

smtp_port: 465

smtp_ssl: true

smtp_auth_file: ${parent_directory}/elastalert/rules/smtp_auth_file.yaml

from_addr: "${email_addr}"

alert:

- "email"

email:

- "${email_addr}"

创建smtp_auth_file.yaml

user: ${email_addr}

password: ${email_passwd}

 

五、 启动命令

python3 -m elastalert.elastalert --verbose --config config/config.yaml --rule rules/wechart.yaml