ElastAlert结合AlertManager 根据日志进行报警监控

首先ElastAlert 可以python包的方式运行，也可以用docker容器的方式运行，
另外ElastAlert 接入的数据来自ES，需要指定ES地址

ElastAlert的配置文件，主要有两个，一个是服务的，一个是规则的。
规则的配置文件如下

[root@node109 elastalert]# pwd
/home/elastic/elastalert
[root@node109 elastalert]# cat config.yaml | grep -v "#"
rules_folder: rules

run_every:
  minutes: 1

buffer_time:
  minutes: 1

es_host: 192.168.46.9

es_port: 9200


writeback_index: elastalert_status

alert_time_limit:
  days: 2

下面是ElastAlert的规则配置文件，并在报警触发时，发送到AlertManager

[root@node109 rules]# more example_alertmanager.yaml 
es_host: 192.168.46.9
es_port: 9200
name: testrule
type: frequency
index: app-search-*
num_events: 1
timeframe:
  minutes: 1
filter:
- bool:
    must:
      - match:
          level: "ERROR"
alert: alertmanager
alertmanager_hosts: ["http://192.168.46.9:9093"]
alertmanager_alertname: "Title"
alertmanager_annotations:
  severity: "error"
alertmanager_labels:
  source: "elastalert"
alertmanager_fields:
  msg: "message"
  log: "@log_name"

发送出来的数据格式：

{
  "receiver": "web\\.hook",
  "status": "firing",
  "alerts": [
    {
      "status": "firing",
      "labels": {
        "alertname": "Title",
        "elastalert_rule": "testrule",
        "log": "null",
        "msg": "NullPointException , something was wrong, please check the detail log",
        "source": "elastalert"
      },
      "annotations": {
        "description": "testrule\n\nAt least 1 events occurred between 2022-10-14 05:57 EDT and 2022-10-14 05:58 EDT\n\n@timestamp: 2022-10-14T09:58:00.095Z\n@version: 1\n_id: pyHt1YMBjckmaSOD4d85\n_index: app-search-log-collection-2022.10.14\n_type: _doc\nhost: 192.168.46.1\nlevel: ERROR\nlevel_value: 40000\nlogger_name: com.botao.webcrawler.controller.GetOption\nmessage: NullPointException , something was wrong, please check the detail log\nnum_hits: 1\nnum_matches: 1\nport: 61641\nthread_name: qtp1485485458-34\n",
        "severity": "error",
        "summary": "testrule"
      },
      "startsAt": "2022-10-14T05:58:40.814294659-04:00",
      "endsAt": "0001-01-01T00:00:00Z",
      "generatorURL": "",
      "fingerprint": "431557357427d58a"
    }
  ],
  "groupLabels": {
    "alertname": "Title"
  },
  "commonLabels": {
    "alertname": "Title",
    "elastalert_rule": "testrule",
    "log": "null",
    "msg": "NullPointException , something was wrong, please check the detail log",
    "source": "elastalert"
  },
  "commonAnnotations": {
    "description": "testrule\n\nAt least 1 events occurred between 2022-10-14 05:57 EDT and 2022-10-14 05:58 EDT\n\n@timestamp: 2022-10-14T09:58:00.095Z\n@version: 1\n_id: pyHt1YMBjckmaSOD4d85\n_index: app-search-log-collection-2022.10.14\n_type: _doc\nhost: 192.168.46.1\nlevel: ERROR\nlevel_value: 40000\nlogger_name: com.botao.webcrawler.controller.GetOption\nmessage: NullPointException , something was wrong, please check the detail log\nnum_hits: 1\nnum_matches: 1\nport: 61641\nthread_name: qtp1485485458-34\n",
    "severity": "error",
    "summary": "testrule"
  },
  "externalURL": "http://x.x.x.x:9093",
  "version": "4",
  "groupKey": "{}:{alertname=\"Title\"}",
  "truncatedAlerts": 0
}