本篇仅记录了在使用中接触到的，会在今后使用中不断更新。

Elastalert

ElastAlert是Yelp公司开源的一套用Python写的报警框架。

安装

pip install elastalert

命令

elastalert-create-index命令用来创建ES索引的，默认为elastalert_status

elastalert-test-rule测试自定义配置中的rule设置

elastalert-rule-from-kibana从Kibana3中直接导出Filters

Example Config

# 规则文件目录，建议使用全路径
rules_folder: example_rules

# 用来设置定时向ES发请求
run_every:
  minutes: 5

# 用来设置请求里时间字段的范围
buffer_time:
  minutes: 15

# Elasticsearch host
es_host: elasticsearch.example.com

# The Elasticsearch port
es_port: 9200

# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch
#use_ssl: True

# Verify TLS certificates
#verify_certs: True

# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 2

# 当Alert需要Email时
# 以下使用QQSMTP服务
# smtp_auth_file为SMTP Email账号信息的配置文件路径（使用yaml，key为user和password），建议使用全路径
smtp_host: smtp.exmail.qq.com
smtp_port: 465
smtp_ssl: true
smtp_auth_file: ~/email_auth.yaml
from_addr: example@qq.com

Example Rule

es_host: host
es_port: port
name: rule_name
type: frequency
use_strftime_index: true
index: project-%Y.%m.%d

# 指定事件数，进行Alert
num_events: 5
timeframe:
  minutes: 1

# 查询条件
filter:
- query:
    query_string:
      query: "ERROR"

# Alert使用Email
alert:
- "email"

# 通知多个Email
email:
- "example1@example.com"
- "example2@example.com"