ELK关键字告警-elastalert2
2024-02-18 本文已影响0人
Kscoq
安装
版本 2.14
安装方式 As a Python package
Requirements
Elasticsearch 7.x or 8.x, or OpenSearch 1.x or 2.x
Python 3.11. Require OpenSSL 1.1.1 or newer.
openssl安装
openssl-1.1.1.tar.gz
./config --prefix=/usr/local/openssl shared zlib
make && make install
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/openssl/lib" >> /etc/profile
python3.11安装
yum install zlib zlib-devel openssl openssl-devel libffi-devel -y
python-3.11.6.tgz
./configure --prefix=/usr/local/python3.11 --enable-optimizations --with-openssl=/usr/local/openssl
make && make install
ln -s /usr/local/python3.11/bin/python3 /usr/bin/python3
ln -s /usr/local/python3.11/bin/pip3 /usr/bin/pip3
elastalert2安装
pip3 elastalert2
elastalert2-2.14.tar.gz
全局配置
# This is the folder that contains the rule yaml files
# This can also be a list of directories
# Any .yaml file will be loaded as a rule
rules_folder: test/
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 5
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 1
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: 11.11.11.11
# The Elasticsearch port
es_port: 9200
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
# Optional prefix for statsd metrics
#statsd_instance_tag: elastalert
# Optional statsd host
#statsd_host: dogstatsd
# Connect with TLS to Elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# Show TLS or certificate related warnings
#ssl_show_warn: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See https://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for Elasticsearch
es_username: elastic
es_password: *******
# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
disable_rules_on_error: false
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 1
# Optional timestamp format.
# ElastAlert will print timestamps in alert messages and in log messages using this format.
#custom_pretty_ts_format: '%Y-%m-%d %H:%M'
custom_pretty_ts_format: '%Y-%m-%d %H:%M:%S'
#use_terms_query: true
# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
logging:
version: 1
incremental: false
disable_existing_loggers: false
formatters:
logline:
format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: logline
level: DEBUG
stream: ext://sys.stderr
file:
class : logging.FileHandler
formatter: logline
level: DEBUG
filename: elastalert.log
loggers:
elastalert:
level: WARN
handlers: []
propagate: true
elasticsearch:
level: WARN
handlers: []
propagate: true
elasticsearch.trace:
level: WARN
handlers: []
propagate: true
'': # root logger
level: WARN
handlers:
- console
- file
propagate: false
规则配置
# Rule name, must be unique
name: testrule1
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
# (Required)
# Index to search, wildcard supported
index: app-aaa-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
run_every:
minutes: 5
#每次查询change范围
timeframe:
# hours: 4
minutes: 5
realert:
minutes: 0
#query_delay:
# minutes: 5
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
#- term:
# some_field: "some_value"
- query:
query_string:
query: 'message:"CRITICAL" AND app:"aaa"'
include:
- "app"
- "module"
- "message"
- "env"
- "log.file.path"
- "host.name"
# (Required)
# The alert is use when a match is found
alert:
- "email"
- "command"
email:
- "111@qq.com"
cc:
- "111@qq.com"
smtp_host: "11.qq.com"
smtp_port: 25
from_addr: "11@qq.com"
email_format: "html"
alert_subject: "{} {}"
alert_subject_args:
- log.file.path
- message
alert_text_type: alert_text_only
alert_text: "<p>hostname: {} </p><p>logpath: {}</p><p>message: {} </p>"
alert_text_args:
- host.name
- log.file.path
- message
command: ['/app/elastalert/scripts/msend.sh', "%(app)s" , "%(env)s" , "%(message)s" , "%(host.name)s", "%(log.file.path)s", "CRITICAL"]
python3 -m elastalert.elastalert --verbose --config config.yaml &
文档信息
https://elastalert2.readthedocs.io/en/latest/elastalert.html
