Elasticsearch's elastalert monitoring alarm notification

One, configuration rules

Rule type

• any: alarm as long as there is a match;
• blacklist: The content of the compare_key field matches any content in the blacklist array;
• whitelist: none of the contents of the compare_key field can match the contents of the whitelist array;
• change: Under the same query_key condition, the content of the compare_key field will be changed within the timeframe;
• frequency: Under the same query_key condition, there are num_events filtered exceptions in the timeframe range;
• spike: Under the same query_key condition, the ratio of the difference between the amount of data in the two timeframes before and after it exceeds spike_height. Among them, you can use spike_type to set the specific up and down direction to be up, down, and both. You can also use threshold_ref to set the lower limit of the data volume required in the previous cycle, and threshold_cur to set the lower limit of the data volume required in the current cycle. If the data volume is less than the lower limit, it will not trigger;
• flatline: within the timeframe range, the amount of data is less than the threshold;
• new_term: before the new fields field appears, terms_window_size (default 30 days) the most terms_size (default 50) data other than the results;
• cardinality: Under the same query_key condition, the value of cardinality_field within the range of timeframe exceeds max_cardinality or is lower than min_cardinality.

Two, frequency type demonstration

1. Copy frequency template information

[root@k8s-slave1 example_rules]# cd /usr/local/elastalert/example_rules/
[root@k8s-slave1 example_rules]# cp example_frequency.yaml test.yaml

2. Modify the test.yaml monitoring rules

[root@k8s-slave1 example_rules]# cat test.yaml | grep -v ^# | grep -v ^$
es_host: 10.3.153.200
es_port: 9200
name: frequency test rule
type: frequency
index: logstash-nginx-*
num_events: 1
timeframe:
  minutes: 4
filter:
- query_string:
    query: "status: >=500"
smtp_host: smtp.163.com
smtp_port: 465
smtp_auth_file: /usr/local/elastalert/smtp_auth_file.yaml
email_reply_to: [email protected]
from_addr: [email protected]
alert:
- "email"
email:
- "[email protected]"

3. Create smtp_auth_file.yaml file

[root@k8s-slave1 ~]# cat /usr/local/elastalert/smtp_auth_file.yaml 
#邮箱用户名
user: [email protected]
##不是邮箱密码，是设置的SMTP密码
password: xxxxxx

Three, enable the rule

1.

Remarks for enabling rules : The current is the display effect, the startup mode is --verbose mode. Under normal circumstances, it should be started in the background. At the same time, all the rules of the entire rules folder can be loaded uniformly.

elastalert --config /usr/local/elastalert/config.yaml --rule /usr/local/elastalert/example_rules/test.yaml &

2. Use code to insert data into the index (manufacturing error message)

3. Find matching information

Remarks: We can use debug mode to start during the investigation process, and more log information can be obtained, as follows:

4. Check the content of the email