elastalert--基于elasticsearch层面的监控和邮件报警

其他 2020-04-21 10:33:45 阅读次数: 0

在做好ELK环境部署下

elastalert读取指定elasticsearch索引,根据规则匹配,如果匹配到就发邮件报警
1,安装python3
elastalert是基于Python3版本的

[root@localhost ~] yum -y install wget openssl openssl-devel gcc gcc-c++ #安装依赖
[root@localhost ~] wget -c https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tgz #下载Python3
[root@localhost ~] tar -zxf Python-3.6.2.tgz #解压
[root@localhost ~] cd Python-3.6.2
[root@localhost Python-3.6.2] ./configure --prefix=/usr/local/python --with-openssl 检测环境
[root@localhost Python-3.6.2] make && make install #编译 安装

2,设置python,授权yum,并做软链接

[root@localhost ~] which python
/usr/bin/python
[root@localhost ~] rm -rf /usr/bin/python
[root@localhost ~] vim /usr/bin/yum
[root@localhost ~] cat /usr/bin/yum|sed -n '1p'
#!/usr/bin/python2
[root@localhost ~] vim /usr/libexec/urlgrabber-ext-down 
[root@localhost ~] cat /usr/libexec/urlgrabber-ext-down |sed -n '1p'
#! /usr/bin/python2
[root@localhost ~] ln -s /usr/local/python/bin/python3 /usr/bin/python
[root@localhost ~] ln -s /usr/local/python/bin/pip3 /usr/bin/pip
#做好以上操作可以执行yum了

3,安装 elastalert

[root@localhost ~] tar -zxf v0.2.1_elasticalert.tar.gz
[root@localhost ~] mv elastalert-0.2.1 /usr/local/elastalert #转移至/usr/local下

[root@localhost ~] cd /usr/local/elastalert/
[root@localhost elastalert] pip install "elasticsearch<7,>6"

[root@localhost elastalert] pip install --upgrade pip

[root@localhost elastalert] pip install -r requirements.txt

[root@localhost elastalert] python setup.py install

安装之后会自带三个命令
(1)elastalert-create-index:ElastAlert会把执行记录存放到一个ES 索引中,该命令就是用来 创建这个索引的,默认情况下,索引名叫elastalert_status。其中有4个 _type,都有 自己的@timestamp字段,所以同样也可以用kibana,来查看这个索引的日志记录情况。
(2)elastalert-rule-from-kibana:从Kibana3已保存的仪表盘中读取Filtering设置,帮助生成config.yaml里的配置。不过注意,它只会读取filtering,不包括queries。
(3)elastalert-test-rule:测试自定义配置中的rule设置。

4,设置elastalert索引

[root@localhost elastalert] cd /usr/local/python/bin/
[root@localhost bin] ./elastalert-create-index 

Enter Elasticsearch host: 192.168.59.110 #elasticsearch主机ip

Enter Elasticsearch port: 9200 #elasticsearch端口号
Use SSL? t/f: f #否

Enter optional basic-auth username (or leave blank): #回车

Enter optional basic-auth password (or leave blank): #回车

Enter optional Elasticsearch URL prefix (prepends a string to the URL of every request): #回车

New index name? (Default elastalert_status) #回车

New alias name? (Default elastalert_alerts) #回车

Name of existing index to copy? (Default None)  #回车

Elastic Version: 6.6.2
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created
Done!

5,修改配置文件

[root@localhost bin] cd /usr/local/elastalert/
[root@localhost elastalert] mv config.yaml.example config.yaml #重命名
[root@localhost elastalert] vim config.yaml 
[root@localhost elastalert] cat config.yaml |grep -v "^#"|sed '/^$/d'

rules_folder: example_rules # 用来加载rule的目录,默认是example_rules
run_every: # 用来设置定时向elasticsearch发送请求,也就是告警执行的频率
  minutes: 1
buffer_time: # 用来设置请求里时间字段的范围
  minutes: 15
es_host: 192.168.59.110
es_port: 9200
writeback_index: elastalert_status# elastalert产生的日志在elasticsearch中的创建的索引
writeback_alias: elastalert_alerts
alert_time_limit: # 失败重试的时间限制
  days: 2

6,设置规则,配置邮件报警

[root@localhost elastalert] cd example_rules/
[root@localhost example_rules] vim example_frequency.yaml 
[root@localhost example_rules] mv example_frequency.yaml nginx_frequency.yaml  #重命名
[root@localhost example_rules] cat nginx_frequency.yaml |grep -v "^#"|sed '/^$/d'

es_host: 192.168.59.110
es_port: 9200
name: nginx rule #规则名字必须是唯一的
type: frequency
index: nginx_log-* # 监控的索引
num_events: 5 # 限定时间内,发生的次数
timeframe:
  hours: 1 # 一小时内有5个错误日志写进ES的话就发送邮件
filter:
- term: #以正则的方式匹配, “404” 就是已有日志写进es就算
    status: "404"
alert:
- "email"
email:
- "[email protected]"
smtp_host: smtp.qq.com
smtp_port: 25
smtp_auth_file: /usr/local/elastalert/example_rules/email_auth.yaml
from_addr: [email protected]

[root@localhost example_rules] vim email_auth.yaml
[root@localhost example_rules] cat email_auth.yaml 
user: "[email protected]" 
password: "zxvbnnggjfgd" #这里是授权码

7,启动elastalert,实时监控nginx日志

[root@localhost example_rules] cd ..
[root@localhost elastalert] /usr/local/python/bin/elastalert --config /usr/local/elastalert/config.yaml --rule /usr/local/elastalert/example_rules/nginx_frequency.yaml --verbose

INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999896 seconds
INFO:elastalert:Queried rule nginx rule from 2020-04-06 21:42 CST to 2020-04-06 21:57 CST: 0 / 0 hits
......
......
......
#会实时监控nginx日志,如果出现问题会以邮件方式报警
xiaohuai吖
发布了56 篇原创文章 · 获赞 65 · 访问量 1995
私信 关注

猜你喜欢

转载自blog.csdn.net/xiaohuai0444167/article/details/105353512
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
周排行
循环神经网络(rnn)讲解
Tigao教程四:单独的关节运动
金蝶K3WISE15.0-注册套打教程
如何在Mac上配置Kubernetes
Android应用结束自身进程的方法
SpringMVC学习 十三 拦截器栈
中国驻洛杉矶总领馆举行新春招待会
HttpClient get post 发送
11 - three.js 笔记 - 绘制三维字体模型
Mysql递归获取某个父节点下面的所有子节点和子节点上的所有父节点
每日归档
更多
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022