ElastAlert对ELK日志进行邮箱报警
来源:互联网 发布:移动4g网络差 编辑:程序博客网 时间:2024/06/04 18:09
ElastAlert是针对ELK收集的日志进行报警的一个框架,类似的还有KAAE和elastic公司自己出品的Watcher,可以根据自己的需求选择。
ElastAlert目前支持的报警方式有email,command调用短信,Slack,Telegram等,因为微信可以绑定邮箱提醒,等于间接支持了微信。
github地址: https://github.com/Yelp/elastalert
安装过程中需要使用到python2.7
git clone https://github.com/Yelp/elastalert.gitpython setup.py install
具体过程可以看官方的安装教程:http://elastalert.readthedocs.io
我这里的需求是ELK收集的日志在一定的时间里,如果没有达到指定的次数则报警
config.yaml
# This is the folder that contains the rule yaml files# Any .yaml file will be loaded as a rulerules_folder: pmc_rules # 规则文件存放的文件夹名称# How often ElastAlert will query Elasticsearch# The unit can be anything from weeks to secondsrun_every: minutes: 1 # 每隔一分钟查询一次Elasticsearch# ElastAlert will buffer results from the most recent# period of time, in case some log sources are not in real timebuffer_time: minutes: 15 # 结果缓存15分钟# The Elasticsearch hostname for metadata writeback# Note that every rule can have its own Elasticsearch hostes_host: 10.x.x.x # Elasticsearch的地址# The Elasticsearch portes_port: 9200 # Elasticsearch端口# The AWS region to use. Set this when using AWS-managed elasticsearch#aws_region: us-east-1# The AWS profile to use. Use this if you are using an aws-cli profile.# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html# for details#profile: test# Optional URL prefix for Elasticsearch#es_url_prefix: elasticsearch# Connect with TLS to Elasticsearch #use_ssl: True # ES都在内网环境使用,外网无法访问,所以没有使用ssl和账号密码 # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for Elasticsearch #es_username: someusername #es_password: somepassword # Use SSL authentication with client certificates client_cert must be # a pem file containing both cert and key for client #verify_certs: True #ca_certs: /path/to/cacert.pem #client_cert: /path/to/client_cert.pem #client_key: /path/to/client_key.key # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # 在安装完成后执行命令 elastalert-create-index 创建的索引名称 # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: # 如果报警失败,会在两天内重试 days: 2
规则文件autoDispatchAdvanceJob.yaml,这个文件必须在config.yaml中rules_folder指定的文件夹下,可以有多个文件
# Alert when the rate of events exceeds a threshold# (Optional)# Elasticsearch hostes_host: 10.x.x.x # Elasticsearch的地址# (Optional)# Elasticsearch portes_port: 9200# (Required)# Rule name, must be uniquename: autoDispatchAdvanceJob Stop # 规则名称,不能重复,邮件标题就是这个名字# (Required)# Type of alert.# the frequency rule type alerts when num_events events occur with timeframe timetype: flatline # 规则类型,详细说明http://elastalert.readthedocs.io# (Required)# Index to search, wildcard supportedindex: pmc-timejob # Elasticsearch中的索引名称,需要报警的日志# (Required, frequency specific)# Alert when this many documents matching the query occur within a timeframe#num_events: 50 threshold: 1 # 35分钟内查询内容需要出现的次数# (Required, frequency specific) # num_events must occur within this amount of time to trigger an alert timeframe: minutes: 35 # 时间间隔 # (Required) # A list of Elasticsearch filters used for find events # These filters are joined with AND and nested in a filtered query # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html filter: - query: query_string: # 需要日志出现的字符串 query: "autoDispatchAdvanceJob" # (Required) # The alert is use when a match is found alert: # 告警方式,这里使用QQ邮箱 - "email" smtp_host: smtp.qq.com smtp_port: 587 #用户认证文件,需要user和password两个属性 smtp_auth_file: /ELK/elastalert/smtp—file.yaml # 这个文件包含发件邮箱的账号密码 email_reply_to: "123333321@qq.com" from_addr: "123333321@qq.com"# (required, email specific)# a list of email addresses to send alerts toemail: # 可以有多个接收邮箱- "123456789@qq.com"- "987564321@qq.com"
smtp—file.yaml
#发送邮件的邮箱user: "123333321@qq.com"##不是邮箱密码,是设置的POP3密码password: "sdffnddflcvdhbi"
启动服务
python -m elastalert.elastalert –config /ELK/elastalert/config.yaml –verbose
阅读全文
0 0
- ElastAlert对ELK日志进行邮箱报警
- elastalert (support_es5) + elasticsearch 5 = 简单的日志报警喽
- 基于ELK进行邮箱访问日志的分析
- 使用ELK对openstack日志进行收集分析
- ELK中利用elastalert监控日志中的异常,发送邮件警告
- 利用 ELK系统分析Nginx日志并对数据进行可视化展示
- 利用 ELK系统分析Nginx日志并对数据进行可视化展示
- 报警日志
- ELK日志
- 126邮箱 作为报警邮箱
- 非实时日志如何elastalert预警
- zabbix邮箱报警设置
- ios--对邮箱的输入进行判断
- 139邮箱短信报警实现
- 139邮箱短信报警实现
- 139邮箱短信报警实现
- cloudera Manager 配置报警邮箱
- elastalert (support_es5分支) + elasticsearch 5.1 最简单的寻找关键字报警
- 南阳oj 123 树状数组入门 区间更新 单点求值
- 我的OPENCV学习笔记-图像混合
- 基于CUDA在GPU上实现膨胀、腐蚀加速
- 关于201709CSP的总结
- poj1789 Truck History
- ElastAlert对ELK日志进行邮箱报警
- hibernate 初步
- Uva 1347 旅行
- Vue项目 build构建
- 面试题
- 《零基础入门学习python》学习过程(四)
- 数据结构-线性表-顺序表
- Bootstrap使用总结
- iframe父页面获取子页面元素,子页面获取父页面元素