elastalter邮件告警

一：简介

ElastAlert是一个简单的框架，用于通过Elasticsearch中的数据异常警告，峰值或其他感兴趣的模式。

监控类型

• “匹配Y时间内有X个事件的地方”（frequency类型）
• “事件发生率增加或减少时匹配”（spike类型）
• “在Y时间内少于X事件时匹配”（flatline类型）
• “当某个字段匹配黑名单/白名单时匹配”（blacklist和whitelist类型）
• “匹配任何匹配给定过滤器的事件”（any类型）
• “在一段时间内某个字段有两个不同的值时匹配”（change类型）

二：部署安装

由于Yelp官方提供有docker镜像，docker的便捷性，所以采用docker进行部署

githup官方库：https://github.com/Yelp/elastalert

docker image：bitsensor/elastalert:latest

安装方式：

下载相应的配置文件
git clone https://github.com/bitsensor/elastalert.git; cd elastalert
启动镜像
docker run -d -p 3030:3030 \
    -v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
    -v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
    -v `pwd`/rules:/opt/elastalert/rules \
    -v `pwd`/rule_templates:/opt/elastalert/rule_templates \
    --net="host" \
    --name elastalert bitsensor/elastalert:latest

ES 7.X用docker跑，问题比较多

三：配置方式

详细资料查看官方资料。

规则配置

config

# rule规则所在路径
rules_folder: /data/elastalert/rules

# 运行时间间隔
run_every:
  minutes: 1

buffer_time:
  minutes: 15

es_host: 10.88.0.34

es_port: 9200

# 写入ES中的index
writeback_index: elastalert_status
writeback_alias: elastalert_alerts

# 告警发送失败的，时间限制，超过2天后，则丢弃
alert_time_limit:
  days: 2

rule

# Rule name, must be unique
name: web request status

# Type of alert.
#type: spike
type: frequency

# num_events must occur within this amount of time to trigger an alert
# 在5m内，查到的数量多余20，曾触发报警
timeframe:
  minutes: 5
num_events: 20

# Index to search, wildcard supported
# 索引和时间filed
index: web-2018.06.26
timestamp_field: "@timestamp"

# 匹配规则
filter:
- query:
    term:
      status:
        value: 404

# 邮件标题
alert_subject: "Surge in attacks on {}"
alert_subject_args:
  - http_host

# 邮件内容
alert_text_type: alert_text_only
alert_text: "Surge in attacks on {}"
alert_text_args:
  - host

# The alert is use when a match is found
alert:
  - "email"
email:
  - "xx@qq.com"

四：启动方式

binary Running

# 安装
git clone https://github.com/Yelp/elastalert.git
pip install -r requirements.txt
python setup.py install
cp config.yaml.example config.yaml

# 创建index
elastalert-create-index

# 测试
elastalert-test-rule --config config.yaml rules/test_frequency.yaml

# 正式
python3 -m elastalert.elastalert --config config.yaml

五：查看数据

1.elastalter会生成一个elastalter_status索引，里面会记录rule匹配的详细信息

{
  "_index": "elastalert_status_status",
  "_type": "_doc",
  "_id": "yosRkHAB-hBL9ipWbCYu",
  "_version": 1,
  "_score": null,
  "_source": {
    "rule_name": "Nginx request img check",
    "endtime": "2020-02-29T08:30:25.822237Z",
    "starttime": "2020-02-29T08:26:32.605579Z",
    # 匹配到多少天
    "matches": 0,
    # 命中
    "hits": 0,
    "@timestamp": "2020-02-29T08:30:25.836591Z",
    "time_taken": 0.014328718185424805
  },
  "fields": {
    "@timestamp": [
      "2020-02-29T08:30:25.836Z"
    ],
    "endtime": [
      "2020-02-29T08:30:25.822Z"
    ],
    "starttime": [
      "2020-02-29T08:26:32.605Z"
    ]
  },
  "sort": [
    1582965025836
  ]
}