配置elastalert告警（含告警代码）

最新推荐文章于 2025-01-01 00:00:00 发布

大A崛起

最新推荐文章于 2025-01-01 00:00:00 发布

阅读量1.5k

点赞数 1

分类专栏： ELK

本文链接：https://blog.youkuaiyun.com/qq_31677507/article/details/108446782

版权

ELK 专栏收录该内容

3 篇文章

订阅专栏

一、安装

安装elastalert和依赖模块

$ pip3 install elastalert
$ pip3 install "setuptools>=11.3"
$ python3 setup.py install

重命名配置文件

$ cp config.yaml.example config.yaml

二、配置文件解析

$ cat config.yaml
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
# ElastAlert将加载规则配置文件的地方，它将尝试加载文件夹中的每个.yaml文件。
rules_folder: example_rules

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
# ElastAlert查询Elasticsearch的频率。
run_every:
  seconds: 30
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
# 是查询窗口的大小，从每个查询运行的时间向后延伸。对于其中use_count_query或use_terms_query设置为true的规则，此值将被忽略。
buffer_time:
  minutes: 5

# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
# 是Elasticsearch集群的地址，ElastAlert将存储有关其状态、查询运行、警报和错误的数据。每个规则也可以设置不同的elasticsearch主机进行查询。
es_host: 127.0.0.1

# The Elasticsearch port
# Elasticsearch对应的端口。
es_port: 9200

# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test

# Optional URL prefix for Elasticsearch
# Elasticsearch端点的URL前缀。
#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch
# 是否使用TLS;连接到es_host；设置为True或False。
#use_ssl: True

# Verify TLS certificates
# 是否验证TLS证书; 设置为True或False，默认是True。
#verify_certs: True

# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
# 查询Elasticsearch方法- GET，POST或source，默认是GET。
#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch
# 用于连接Elasticsearch的basic-auth用户名。
#es_username: someusername
# 用于连接Elasticsearch的密码。
#es_password: somepassword

# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
# 用于验证SSL连接的CA证书的路径。
#ca_certs: /path/to/cacert.pem
# PEM证书的路径。
#client_cert: /path/to/client_cert.pem
# 作为客户端密钥使用的私钥文件的路径。
#client_key: /path/to/client_key.key

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
# 是ElastAlert将存储数据的索引名称。
writeback_index: elastalert_status
writeback_alias: elastalert_alerts

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
# 是失败警报的重试窗口。
alert_time_limit:
  days: 1

三、创建Elasticsearch索引
elastalert-create-index这个命令会在elasticsearch创建索引，便于ElastAlert将有关其查询及其警报的信息和元数据保存回Elasticsearch。这不是必须的步骤，但是强烈建议创建。因为对于审计，测试很有用，并且重启elastalert不影响计数和发送alert。默认情况下，创建的索引叫 elastalert_status。

$ elastalert-create-index
New index name (Default elastalert_status)
Name of existing index to copy (Default None)
New index elastalert_status created
Done!

查看一下es中创建的索引信息

curl 'localhost:9200/_cat/indices?v'
health status index                     uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   nginxaccess-2020.09.05    Ag_0BiR_SHCtQF14ZHCrWQ   1   1    7568611            0      3.2gb          3.2gb
yellow open   filebeat-7.4.1-2020.09.05 ugP_opbLRCOIpQ4ZS7KoOQ   1   1   26594885            0     13.2gb         13.2gb

四、配置规则
在example_rules目录下修改配置文件

$ cp -rp example_frequency.yaml server_test.yaml
$ vim server_test.yaml
# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
es_host: 127.0.0.1

# (Optional)
# Elasticsearch port
es_port: 9200

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: Example frequency rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: filebeat-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 3

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  minutes: 5
  #hours: 5

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
    query_string:
      query: "loglevel: ERROR"

#compare_key: message
#blacklist:
#    - "ERROR"

# (Required)
# The alert is use when a match is found
alert: "rule_modules.weixin.DingTalkAlerter"
dingtalk_webhook: "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=94428ca8-8326-49e6-860f-2e40286951a6"
dingtalk_msgtype: text

检查规则是否正确

$ /usr/local/python3/bin/elastalert-test-rule ./example_rules/weixin.yaml

五、告警脚本
在rule_modules下编写告警脚本

import json
import requests
from elastalert.alerts import Alerter, DateTimeEncoder
from requests.exceptions import RequestException
from elastalert.util import EAException


class DingTalkAlerter(Alerter):

    required_options = frozenset(['dingtalk_webhook', 'dingtalk_msgtype'])
    s = requests.session()
    s.keep_alive = False

    def __init__(self, rule):
        super(DingTalkAlerter, self).__init__(rule)
        self.dingtalk_webhook_url = self.rule['dingtalk_webhook']
        self.dingtalk_msgtype = self.rule.get('dingtalk_msgtype', 'text')
        self.dingtalk_isAtAll = self.rule.get('dingtalk_isAtAll', False)
        self.digtalk_title = self.rule.get('dingtalk_title', '')

    def format_body(self, body):
        return body.encode('utf8')

    def alert(self, matches):
        headers = {'Content-Type': 'application/json;charset=utf-8'}
        ty = type(matches)
        mat = json.dumps(matches[0])
        mat_b = json.loads(mat)
        app = mat_b["fields"]["service"]
        mess = mat_b["message"]
        #mess = matches[7]
        payload = {
            "msgtype": self.dingtalk_msgtype,
            "text": {
                "content": "application: %s \n message: %s" % (app, mess),
                "mentioned_mobile_list": ["18688156156","18618533470","15778085411"]
            }
        }
        try:
            response = requests.post(self.dingtalk_webhook_url,
                        data=json.dumps(payload, cls=DateTimeEncoder),
                        headers=headers)
            response.raise_for_status()
            return response.text
        except RequestException as e:
            raise EAException("Error request to Dingtalk: {0}".format(str(e)))

    def get_info(self):
        return {
            "type": "dingtalk",
            "dingtalk_webhook": self.dingtalk_webhook_url
        }
        pass

六、启动服务

python3 -m elastalert.elastalert --verbose  --rule example_rules/weixin.yaml