Skip to content

ElastAlert ES报警工具

elastalert GitHub地址

Centos7安装与配置ElastAlert

# 解决python依赖
yum install epel-release -y

yum install python2-pip.noarch

pip install --upgrade pip

# 安装virtualenv模块
pip install virtualenv

# 新建一个python2.7的虚拟python环境
virtualenv elastalert --python=python2.7

source elastalert/bin/activate

pip install setuptools
pip install elasticsearch

git clone https://github.com/Yelp/elastalert.git && cd elastalert
pip install -r requirements.txt
python setup.py install

ElastAlert使用

# 创建索引
elastalert-create-index

# 测试规则文件
elastalert-test-rule rule.yaml

# 启动监控报警
python -m elastalert.elastalert --verbose --rule /root/elastalert/example_rules/rule.yaml

配置服务启动ElastAlert

mkdir /etc/elastalert
cp /root/elastalert/config.yaml.example /etc/elastalert/config.yaml

# 创建规则目录
mkdir /etc/elastalert/rules
cp /root/elastalert/example_rules/example_frequency.yaml /etc/elastalert/rules/
cp /root/elastalert/example_rules/example_frequency.yaml /etc/elastalert/rules/rule.yaml

# 修改配置文件
vim /etc/elastalert/config.yaml

rules_folder: /etc/elastalert/rules

# 创建elastalert服务文件
vim /etc/systemd/system/elastalert.service

elastalert.service文件内容

[Unit]
Description=elastalert
After=elasticsearch.service

[Service]
Type=simple
User=root
Group=root
Restart=on-failure
WorkingDirectory=/opt
ExecStart=/usr/bin/python -m elastalert.elastalert --config /etc/elastalert/config.yaml --rule /etc/elastalert/rules/rule.yaml

Install]
WantedBy=multi-user.target

config.yaml配置文件说明

# 规则目录
rules_folder: 

# 查询频率
run_every:

邮箱告警

  • 配置规则:vim /etc/elastalert/rules/rule.yaml
# 报警类型
alert:
- "email"
smtp_host: smtp.126.com
smtp_port: 25
smtp_auth_file: smtp_auth_file.yaml
email_reply_to: email1_address
from_addr: email1_address

# 接受邮箱
email:
- "email2_address"
  • 创建邮箱的认证文件:vim /etc/elastalert/rules/smtp_auth_file.yaml
user: "username"
password: "password"

钉钉告警

elastalert-dingtalk-plugin GitHub地址

  • 插件安装
# 下载
git clone https://github.com/xuyaoqiang/elastalert-dingtalk-plugin.git

# 复制插件到elastalert中
cp -r elastalert-dingtalk-plugin/elastalert_modules/ /etc/elastalert/
  • 配置规则:vim /etc/elastalert/rules/rule.yaml
# 报警模式
alert:
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"

# 钉钉的webhook接口
dingtalk_webhook: ""
dingtalk_msgtype: "text"
  • 启用告警
python -m elastalert.elastalert --verbose --config /etc/elastalert/config.yaml --rule /etc/elastalert/rules/rule.yaml
  • 配置服务启动:vim /etc/systemd/system/elastalert.service
[Unit]
Description=elastalert
After=elasticsearch.service

[Service]
Type=simple
User=root
Group=root
Restart=on-failure
WorkingDirectory=/opt
ExecStart=cd /etc/elastalert && /usr/bin/python -m elastalert.elastalert --config /etc/elastalert/config.yaml --rule /etc/elastalert/rules/rule.yaml

Install]
WantedBy=multi-user.target
  • 优化告警格式
# 注意上下字段对应
alert_text: |
    kibana_url: "https://hostname:5601/app/kibana"
    alarm_reason: "1分钟内login.php至少被访问10次"
    alarm_name: {}
    request_uri: {}
    request_ip: {}
    response_status: {}
alert_text_args:
    - name
    - request
    - clientip
    - response
alert_text_type: alert_text_only