elast alert
参考文档:《elast alert》
假设报错的内容为:
ceph-rest-api service down
At least 1 events occurred between 2017-10-18 16:46 CST and 2017-10-18 17:46 CST
@timestamp: 2017-10-18T09:46:44.897Z
_id: AV8u4NMJlV0N0Gfm3nbE
_index: metricbeat-7.0.0-alpha1-2017.10.18
_type: doc
beat: {
"hostname": "centos7gui",
"name": "centos7gui",
"version": "7.0.0-alpha1"
}
ceph: {
"cluster_disk": {}
}
error: {
"message": "error making http request: Get http://192.168.56.133:5000/api/v0.1/df: dial tcp 192.168.56.133:5000: getsockopt: no route to host"
}
metricset: {
"host": "192.168.56.133:5000",
"module": "ceph",
"name": "cluster_disk",
"rtt": 2022944
}
num_hits: 382
num_matches: 30
[config]
config.yaml
rules_folder: example_rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 192.168.56.162
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
[email alert]
smtp_auth_file.yaml
user: "leiba726@163.com"
password: "xxxxxx"
my_rule.yaml
# Alert when the rate of events exceeds a threshold
# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com
# (Optional)
# Elasticsearch port
# es_port: 14900
# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: ceph-rest-api service down
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: metricbeat-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
hours: 1
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: 'error making http request'
# (Required)
# The alert is use when a match is found
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: smtp_auth_file.yaml
email_reply_to: leiba726@163.com
from_addr: leiba726@163.com
alert:
- "email"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "leiba726@163.com"
- "elaroff@163.com"
[command alert]
my_rule.yaml
# Alert when the rate of events exceeds a threshold
# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com
# (Optional)
# Elasticsearch port
# es_port: 14900
# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: ceph-rest-api service down
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: metricbeat-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
hours: 1
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: 'error making http request'
# (Required)
# The alert is use when a match is found
smtp_host: smtp.163.com
smtp_port: 25
smtp_auth_file: smtp_auth_file.yaml
email_reply_to: leiba726@163.com
from_addr: leiba726@163.com
new_style_string_format: True
alert:
- "command"
# (required, email specific)
# a list of email addresses to send alerts to
command: ["/bin/bash", "/var/hello.sh", "{match[error]}"]
执行elast alert的命令为:
python -m elastalert.elastalert --verbose --rule example_rules/my_rule.yaml