1.1 下载编译elastalert
找到一个存放tar包的目录,git clone 复制 [root@elk1 yunwei]# cd /home/yunwei/tools/ [root@elk1 tools]# git clone https://github.com/Yelp/elastalert.git [root@elk1 tools]# cd elastalert/ [root@elk1 elastalert]# pip install cryptography
1.2 提示:这一步可能报错 bash: pip: command not found…
下载安装 wget"https://pypi.python.org/packages/source/p/pip/pip-1.5.4.tar.gz#md5=834b2904f92d46aaa333267fb1c922bb" --no-check-certificate tar -axf pip-1.5.4.tar.gz cd pip-1.5.4/ python setup.py install python错误:ImportError: No module named setuptools 这句错误提示的表面意思是:没有setuptools的模块,说明python缺少这个模块,那我们只要安装这个模块即可解决此问题,下面我们来安装一下: 在命令行下: 下载setuptools包 shell# wgethttp://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz 解压setuptools包 shell# tar zxvf setuptools-0.6c11.tar.gz shell# cd setuptools-0.6c11 编译setuptools shell# python setup.py build 开始执行setuptools安装 shell# python setup.py install 在elastalert/ 目录下再次安装,提示每个人的目录不一样,需要自己改 [root@elk1 tools]# cd elastalert/ [root@elk1 elastalert]# pip install cryptography [root@elk1 elastalert]# pip install -r requirements.txt [root@elk1 elastalert]# cp config.yaml.example config.yaml [root@elk1 elastalert]# pip install "setuptools>=11.3" ## 这里默认你已yum install python-pip并将源指向了aliyun. [root@elk1 elastalert]# python setup.py install
1.3 配置邮箱验证
[root@elk1 elastalert]# vim /home/yunwei/tools/elastalert/example_rules/smtp_auth_file.yaml user: 18501399u9 #自己的邮箱用户 password: zhangLLLLLLL #邮箱密码,如果是163等是 客户端授权密码
1.4 修改配置alert配置文件
• name:配置,每个rule需要有自己独立的name,一旦重复,进程将无法启动。
• type:配置,选择某一种数据验证方式。
• index:配置,从某类索引里读取数据,目前已经支持Ymd格式,需要先设置 use_strftime_index:true,然后匹配索引,配置形如:index: logstash-es-test%Y.%m.%d,表示匹配logstash-es-test名称开头,以年月日作为索引后缀的index。
• filter:配置,设置向ES请求的过滤条件。
• timeframe:配置,累积触发报警的时长。
• alert:配置,设置触发报警时执行哪些报警手段。不同的type还有自己独特的配置选项。目前
[root@elk1 example_rules]# cat example_frequency.yaml # Alert when the rate of events exceeds a threshold # (Optional) # Elasticsearch host # es_host: elasticsearch.example.com # (Optional) # Elasticsearch port # es_port: 14900 # (OptionaL) Connect with SSL to Elasticsearch #use_ssl: True # (Optional) basic-auth username and password for Elasticsearch #es_username: someusername #es_password: somepassword # (Required) # Rule name, must be unique name: Example frequency rule # (Required) # Type of alert. # the frequency rule type alerts when num_events events occur with timeframe time type: frequency # (Required) # Index to search, wildcard supported index: logstash-* # (Required, frequency specific) # Alert when this many documents matching the query occur within a timeframe <span style="color: #ff0000;">num_events: 1 # 限制时间内,发生事件次数</span> # (Required, frequency specific) # num_events must occur within this amount of time to trigger an alert timeframe: <span style="color: #ff0000;"> minutes: 1 #限制时间刻度,hours 小时 minutes 分钟</span> # (Required) # A list of Elasticsearch filters used for find events # These filters are joined with AND and nested in a filtered query # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html filter: #- term: # some_field: "some_value" <span style="color: #ff0000;"># ES 查询,用以过滤 发现有message: 中有 测试一下 文字就告警。</span> <span style="color: #ff0000;">- query_string: query: "message:测试一下"</span> # (Required) # The alert is use when a match is found alert: - "email" <span style="color: #ff0000;">#接收报警邮件的邮箱 email: - "18501ghg909@163.com"</span> # (required, email specific) # a list of email addresses to send alerts to <span style="color: #ff0000;">smtp_host: smtp.163.com smtp_port: 25 smtp_ssl: false # smtp_auth_file.yaml 地址路径具体根据自己而定 smtp_auth_file: /home/yunwei/tools/elastalert/example_rules/smtp_auth_file.yaml # 从哪个邮箱发送 from_addr: 18501dddd3909@163.com </span>
1.5 config.yaml 配置讲解
• Rules_folder:用来加载下一阶段rule的设置,默认是example_rules
• Run_every:用来设置定时向elasticsearch发送请求
• Buffer_time:用来设置请求里时间字段的范围,默认是45分钟
• Es_host:elasticsearch的host地址
• Es_port:elasticsearch 对应的端口号
• Use_ssl:可选的,选择是否用SSL连接es,true或者false
• Verify_certs:可选的,是否验证TLS证书,设置为true或者false,默认为true
• Es_username:es认证的username
• Es_password:es认证的password
• Es_url_prefix:可选的,es的url前缀(我的理解是https或者http)
• Es_send_get_body_as:可选的,查询es的方式,默认的是GET
• Writeback_index:elastalert产生的日志在elasticsearch中的创建的索引
• Alert_time_limit:失败重试的时间限制
[root@elk1 elastalert]# cat config.yaml # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: example_rules # How often ElastAlert will query Elasticsearch # The unit can be anything from weeks to seconds run_every: minutes: 1 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time buffer_time: minutes: 15 # The Elasticsearch hostname for metadata writeback # Note that every rule can have its own Elasticsearch host <span style="color: #ff0000;">es_host: 172.16.1.20 #修改为自己es 的地址</span> # The Elasticsearch port es_port: 9200 # The AWS region to use. Set this when using AWS-managed elasticsearch #aws_region: us-east-1 # The AWS profile to use. Use this if you are using an aws-cli profile. # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html # for details #profile: test # Optional URL prefix for Elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to Elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for Elasticsearch #es_username: someusername #es_password: somepassword # Use SSL authentication with client certificates client_cert must be # a pem file containing both cert and key for client #verify_certs: True #ca_certs: /path/to/cacert.pem #client_cert: /path/to/client_cert.pem #client_key: /path/to/client_key.key # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 2
1.6 启动
[root@elk1 elastalert]# python -m elastalert.elastalert --verbose --rule example_frequency.yaml
测试:
根据自己监控的日志,可以自己手动写条测试日志。