elast alert

参考文档:《elast alert》

 

假设报错的内容为:

ceph-rest-api service down

At least 1 events occurred between 2017-10-18 16:46 CST and 2017-10-18 17:46 CST

@timestamp: 2017-10-18T09:46:44.897Z
_id: AV8u4NMJlV0N0Gfm3nbE
_index: metricbeat-7.0.0-alpha1-2017.10.18
_type: doc
beat: {
    "hostname": "centos7gui", 
    "name": "centos7gui", 
    "version": "7.0.0-alpha1"
}
ceph: {
    "cluster_disk": {}
}
error: {
    "message": "error making http request: Get http://192.168.56.133:5000/api/v0.1/df: dial tcp 192.168.56.133:5000: getsockopt: no route to host"
}
metricset: {
    "host": "192.168.56.133:5000", 
    "module": "ceph", 
    "name": "cluster_disk", 
    "rtt": 2022944
}
num_hits: 382
num_matches: 30
View Code

[config]

config.yaml

rules_folder: example_rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: 192.168.56.162
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
  days: 2

 

[email alert]

smtp_auth_file.yaml

user: "leiba726@163.com"
password: "xxxxxx"
View Code

my_rule.yaml

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: ceph-rest-api service down

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: metricbeat-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  hours: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
        query_string:
                query: 'error making http request'

# (Required)
# The alert is use when a match is found
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: smtp_auth_file.yaml
email_reply_to: leiba726@163.com
from_addr: leiba726@163.com

alert:
- "email"

# (required, email specific)
# a list of email addresses to send alerts to
email:
- "leiba726@163.com"
- "elaroff@163.com"
View Code

 

[command alert]

my_rule.yaml

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: ceph-rest-api service down

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: metricbeat-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  hours: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
        query_string:
                query: 'error making http request'

# (Required)
# The alert is use when a match is found
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: smtp_auth_file.yaml
email_reply_to: leiba726@163.com
from_addr: leiba726@163.com

new_style_string_format: True
alert:
- "command"

# (required, email specific)
# a list of email addresses to send alerts to

command: ["/bin/bash", "/var/hello.sh", "{match[error]}"]
View Code

 

执行elast alert的命令为:

python -m elastalert.elastalert --verbose --rule example_rules/my_rule.yaml

posted @ 2017-10-19 14:09  elar  阅读(286)  评论(0编辑  收藏  举报