ElastAlert是一个简单的框架,用于从弹性搜索中的数据中提取异常,尖峰或其他感兴趣的模式。我们使用Elasticsearch,Logstash和Kibana来管理我们越来越多的数据和日志。 Kibana非常适合可视化和查询数据,但是我们很快就意识到,它需要一个配套工具来提醒我们的数据不一致。 在这个需求之外,ElastAlert被创建。如果您的数据正在几乎实时写入Elasticsearch,并希望在数据匹配某些模式时收到警报,那么ElastAlert是您一个很好的工具。
官方安装教程地址:查看详情
一、安装并配置ElastAlert:
1、环境准备:
Elasticsearch
ISO8601 or Unix timestamped data
Python 2.7
pip, see requirements.txt
Packages on Ubuntu 14.x: python-pip python-dev libffi-dev libssl-dev
2、安装步骤:
获取源码有以下两种方式,通过paython命令
1 $ pip install elastalert
或者直接克隆代码
1 $ git clone https://github.com/Yelp/elastalert.git
安装模块
1
2
3 $ cd elastalert
$ pip install “setuptools>=11.3”
$ python setup.py install
安装这个步骤时可能会报错:
1 warning: no files found matching 'blist.rst’blist/_blist.c:38:20: 致命错误:Python.h:没有那个文件或目录 #include<Python.h>
由于缺少python基础模块导致的,安装一下:
1 $ yum install python-devel
安装elasticSearch的依赖包
1 $ pip install “elasticsearch>=5.0.0” #Elasticsearch 5.0
或者
1 $ pip install “elasticsearch<3.0.0” #Elasticsearch 2.X
3、全局配置信息
从项目根目录下找到config.yaml.example文件,复制一份命名为config.yaml,编辑配置文件内的信息:
(1、修改es地址信息
1
2
3
4
5
6
7
8 # Elasticsearch 服务器地址
es_host: localhost
# Elasticsearch 端口号
es_port: 9200
#如果设置了es的用户名密码则需要配置以下内容
#es_username: root
#es_password: 123456
(2、设置报警规则文件父路径,稍后介绍如何配置告警规则
1 rules_folder: /opt/tools/esalert/elastalert/alert_rules
(3、设置报警检测频率,我这里设置的事每30分钟检测一次
1
2
3
4 # How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 30
(4、失败告警重试频率配置
1
2
3
4 # If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
(5、建立es索引,用于存储告警信息
1 $ elastalert-create-index
4、配置告警规则信息,这里以频率类型告警规则做示例
1
2
3 $ mkdir alert_rules
$ touch alert_rules/example_frequency.yaml
$ vi alert_rules/example_frequency.yaml
输入如下内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67 # (Optional)
Elasticsearch host
es_host: localhost
(Optional)
Elasticsearch port
es_port: 9200
(OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
(Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
(Required)
Rule name, must be unique
name: TestErrorReport
(Required)
Type of alert.
the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
(Required)
索引名
index: test-log-*
(Required, frequency specific)
当满足条件的记录数达到这个数值就触发告警
num_events: 1
(Required, frequency specific)
num_events must occur within this amount of time to trigger an alert
timeframe:
seconds: 1800
(Required)
A list of Elasticsearch filters used for find events
These filters are joined with AND and nested in a filtered query
For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
过滤规则信息,Lucene语法,与kibana查询语句类似
filter:
- term:
level.keyword: “ERROR”
#增加邮件内容概要信息
alert_text: “Simo API 模块服务器内部异常,请及时处理!”
(Required)
告警方式配置,这里我选择了邮件通知方式
alert:
- “email”
#邮件服务器信息配置,如果自己没有搭邮件服务器,可以使用qq邮箱或者163邮箱进行邮件发送
smtp_host: smtp.test.com
smtp_port: 25
#用户认证文件,需要user和password两个属性
smtp_auth_file: …/smtp_auth_file.yaml
#使用这个邮箱进行邮件发送
from_addr: [email protected]
#邮件会回复到此邮箱
email_reply_to: [email protected]
(required, email specific)
需要通知告警信息的用户邮箱列表
email:
5、测试告警配置信息是否生效,–alert 代表需要发送告警信息
1 elastalert-test-rule --alert alert_rules/example_frequency.yaml
6、运行elastAlert,–verbose 用来输出日志的,默认会去读取config.yaml文件的配置信息
1 $ python -m elastalert.elastalert --verbose
二、配置elastAlert为系统服务
1
2
3 $ cd /etc/systemd/system
$ touch elastalert.service
$ vi elastalert.service
编辑文件信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14 [Unit]
Description=elastalert
After=elasticsearch.service
[Service]
Type=simple
User=root
Group=root
Restart=on-failure
WorkingDirectory= /opt/tools/esalert/elastalert
ExecStart=/usr/bin/elastalert --config /opt/tools/esalert/elastalert/config.yaml
[Install]
WantedBy=multi-user.target
启动服务
1 $ systemctl start elastalert #或者 service elastalert start
停止服务
1 $ systemctl stop elastalert #或者 service elastalert stop
查看服务状态
1 $ systemctl status elastalert #或者 service elastalert status
如果看到如下信息,说明服务配置成功了!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 Redirecting to /bin/systemctl status elastalert.service
● elastalert.service - elastalert
Loaded: loaded (/etc/systemd/system/elastalert.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2019-03-08 05:52:46 EST; 1h 12min ago
Main PID: 3006 (elastalert)
Tasks: 1
Memory: 38.6M
CGroup: /system.slice/elastalert.service
└─3006 /usr/bin/python /usr/bin/elastalert --config /opt/tools/esalert/elastalert/config.yaml
Mar 08 05:52:46 simo systemd[1]: Started elastalert.
Mar 08 05:52:46 simo systemd[1]: Starting elastalert…
Mar 08 05:52:47 simo elastalert[3006]: /usr/lib/python2.7/site-packages/elastalert-0.1.38-py2.7.egg/elastalert/config.py:31: YAMLLoadWarning:
Mar 08 05:52:47 simo elastalert[3006]: *** Calling yaml.load() without Loader=… is deprecated.
Mar 08 05:52:47 simo elastalert[3006]: *** The default Loader is unsafe.
Mar 08 05:52:47 simo elastalert[3006]: *** Please read https://msg.pyyaml.org/load for full details.
Mar 08 05:52:47 simo elastalert[3006]: rule_schema = jsonschema.Draft4Validator(yaml.load(open(os.path.join(os.path.dirname(file), ‘schema.yaml’))))
如果要测试错误日志报警,可以在你的应用程序中打印level=ERROR的日志,即可通过邮件收到告警通知!
大连妇科医院哪家好 http://mobile.dlgcyy.cn/
大连男科检查医院 http://mobile.39552222.com/
大连妇科 http://mobile.dlfkyy.net/