美文网首页
ELK关键字告警-elastalert2

ELK关键字告警-elastalert2

作者: Kscoq | 来源:发表于2024-02-18 14:16 被阅读0次

    安装


    版本 2.14
    安装方式 As a Python package
    Requirements
    Elasticsearch 7.x or 8.x, or OpenSearch 1.x or 2.x
    Python 3.11. Require OpenSSL 1.1.1 or newer.

    openssl安装

    openssl-1.1.1.tar.gz
    ./config --prefix=/usr/local/openssl shared zlib
    make && make install
    echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openssl/lib" >> /etc/profile

    python3.11安装

    yum install zlib zlib-devel openssl openssl-devel libffi-devel -y
    python-3.11.6.tgz
    ./configure --prefix=/usr/local/python3.11 --enable-optimizations --with-openssl=/usr/local/openssl
    make && make install
    ln -s /usr/local/python3.11/bin/python3 /usr/bin/python3
    ln -s /usr/local/python3.11/bin/pip3 /usr/bin/pip3

    elastalert2安装

    pip3 elastalert2
    elastalert2-2.14.tar.gz

    全局配置


    # This is the folder that contains the rule yaml files
    
    # This can also be a list of directories
    
    # Any .yaml file will be loaded as a rule
    
    rules_folder: test/
    
    # How often ElastAlert will query Elasticsearch
    
    # The unit can be anything from weeks to seconds
    
    run_every:
    
      minutes: 5
    
    # ElastAlert will buffer results from the most recent
    
    # period of time, in case some log sources are not in real time
    
    buffer_time:
    
      minutes: 1
    
    # The Elasticsearch hostname for metadata writeback
    
    # Note that every rule can have its own Elasticsearch host
    
    es_host: 11.11.11.11
    
    # The Elasticsearch port
    
    es_port: 9200
    
    # The AWS region to use. Set this when using AWS-managed elasticsearch
    
    #aws_region: us-east-1
    
    # The AWS profile to use. Use this if you are using an aws-cli profile.
    
    # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
    
    # for details
    
    #profile: test
    
    # Optional URL prefix for Elasticsearch
    
    #es_url_prefix: elasticsearch
    
    # Optional prefix for statsd metrics
    
    #statsd_instance_tag: elastalert
    
    # Optional statsd host
    
    #statsd_host: dogstatsd
    
    # Connect with TLS to Elasticsearch
    
    #use_ssl: True
    
    # Verify TLS certificates
    
    #verify_certs: True
    
    # Show TLS or certificate related warnings
    
    #ssl_show_warn: True
    
    # GET request with body is the default option for Elasticsearch.
    
    # If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
    
    # See https://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
    
    # for details
    
    #es_send_get_body_as: GET
    
    # Option basic-auth username and password for Elasticsearch
    
    es_username: elastic
    
    es_password: *******
    
    # Use SSL authentication with client certificates client_cert must be
    
    # a pem file containing both cert and key for client
    
    #ca_certs: /path/to/cacert.pem
    
    #client_cert: /path/to/client_cert.pem
    
    #client_key: /path/to/client_key.key
    
    # The index on es_host which is used for metadata storage
    
    # This can be a unmapped index, but it is recommended that you run
    
    # elastalert-create-index to set a mapping
    
    writeback_index: elastalert_status
    
    disable_rules_on_error: false
    
    # If an alert fails for some reason, ElastAlert will retry
    
    # sending the alert until this time period has elapsed
    
    alert_time_limit:
    
      days: 1
    
    # Optional timestamp format.
    
    # ElastAlert will print timestamps in alert messages and in log messages using this format.
    
    #custom_pretty_ts_format: '%Y-%m-%d %H:%M'
    
    custom_pretty_ts_format: '%Y-%m-%d %H:%M:%S'
    
    #use_terms_query: true
    
    # Custom logging configuration
    
    # If you want to setup your own logging configuration to log into
    
    # files as well or to Logstash and/or modify log levels, use
    
    # the configuration below and adjust to your needs.
    
    # Note: if you run ElastAlert with --verbose/--debug, the log level of
    
    # the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
    
    logging:
    
      version: 1
    
      incremental: false
    
      disable_existing_loggers: false
    
      formatters:
    
        logline:
    
          format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
    
      handlers:
    
        console:
    
          class: logging.StreamHandler
    
          formatter: logline
    
          level: DEBUG
    
          stream: ext://sys.stderr
    
        file:
    
          class : logging.FileHandler
    
          formatter: logline
    
          level: DEBUG
    
          filename: elastalert.log
    
      loggers:
    
        elastalert:
    
          level: WARN
    
          handlers: []
    
          propagate: true
    
        elasticsearch:
    
          level: WARN
    
          handlers: []
    
          propagate: true
    
        elasticsearch.trace:
    
          level: WARN
    
          handlers: []
    
          propagate: true
    
        '':  # root logger
    
          level: WARN
    
          handlers:
    
            - console
    
            - file
    
          propagate: false
    
    

    规则配置


    # Rule name, must be unique
    
    name: testrule1
    
    # (Required)
    
    # Type of alert.
    
    # the frequency rule type alerts when num_events events occur with timeframe time
    
    type: frequency
    
    # (Required)
    
    # Index to search, wildcard supported
    
    index: app-aaa-*
    
    # (Required, frequency specific)
    
    # Alert when this many documents matching the query occur within a timeframe
    
    num_events: 1
    
    # (Required, frequency specific)
    
    # num_events must occur within this amount of time to trigger an alert
    
    run_every:
    
      minutes: 5
    
    #每次查询change范围
    
    timeframe:
    
    #  hours: 4
    
      minutes: 5
    
    realert:
    
      minutes: 0
    
    #query_delay:
    
    #  minutes: 5
    
    # (Required)
    
    # A list of Elasticsearch filters used for find events
    
    # These filters are joined with AND and nested in a filtered query
    
    # For more info: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html
    
    filter:
    
    #- term:
    
    #    some_field: "some_value"
    
    - query:
    
        query_string:
    
          query: 'message:"CRITICAL" AND app:"aaa"'
    
    include:
    
      - "app"
    
      - "module"
    
      - "message"
    
      - "env"
    
      - "log.file.path"
    
      - "host.name"
    
    # (Required)
    
    # The alert is use when a match is found
    
    alert:
    
    - "email"
    
    - "command"
    
    email:
    
    - "111@qq.com"
    
    cc:
    
    - "111@qq.com"
    
    smtp_host: "11.qq.com"
    
    smtp_port: 25
    
    from_addr: "11@qq.com"
    
    email_format: "html"
    
    alert_subject: "{} {}"
    
    alert_subject_args:
    
      - log.file.path
    
      - message
    
    alert_text_type: alert_text_only
    
    alert_text: "<p>hostname: {} </p><p>logpath: {}</p><p>message: {} </p>"
    
    alert_text_args:
    
      - host.name
    
      - log.file.path
    
      - message
    
    command: ['/app/elastalert/scripts/msend.sh', "%(app)s" , "%(env)s" , "%(message)s" , "%(host.name)s", "%(log.file.path)s", "CRITICAL"]
    

    python3 -m elastalert.elastalert --verbose --config config.yaml &

    文档信息

    https://elastalert2.readthedocs.io/en/latest/elastalert.html

    https://github.com/jertel/elastalert2

    https://zhuanlan.zhihu.com/p/386723212

    相关文章

      网友评论

          本文标题:ELK关键字告警-elastalert2

          本文链接:https://www.haomeiwen.com/subject/cwqmadtx.html