ELK中利用elastalert监控日志中的异常,发送邮件警告
来源:互联网 发布:军民融合指数 大数据 编辑:程序博客网 时间:2024/04/29 09:20
- 准备工作
sudo yum update
python版本最好2.7版本以上(现在centos7好像都能满足)
2.安装elastalert(按照官网的操作走)
先切换到自己的工作目录
我这里是 /usr/local/dev/
git 克隆源码
git clone https://github.com/Yelp/elastalert.git cd elastalert
安装
sudo python setup.py install
出错了
Running blist-1.3.6/setup.py -q bdist_egg –dist-dir /tmp/easy_install-Gc6gbe/blist-1.3.6/egg-dist-tmp-Ik7LL2
The required version of setuptools (>=1.1.6) is not available,
and can’t be installed while this script is running. Please
install a more recent version first, using
‘easy_install -U setuptools’.
(Currently using setuptools 0.9.8 (/usr/lib/python2.7/site-packages))
ok按照它提示的,,,执行:
sudo easy_install -U setuptools
再执行安装(sudo python setup.py install),又出错了
warning: no files found matching 'blist.rst'blist/_blist.c:38:20: 致命错误:Python.h:没有那个文件或目录 #include<Python.h>
这其实是缺少开发包,执行命令:
sudo yum install python-devel
再执行安装(sudo python setup.py install)
到这里基本能安装成功。
有时候会报一些包找不到的错误,可能是网络问题,重复执行安装命令即可(我在阿里云上遇到了)。
继续执行安装命令
pip install -r requirements.txt
找不到pip ,先安装pip并更新
sudo yum -y install python-pipsudo pip install --upgrade pip
安装完继续
sudo pip install -r requirements.txt
在elasticsearch中创建elastalert的日志索引
sudo elastalert-create-index
根据自己的情况,填入elasticsearch的相关信息,关于
elastalert_status部分直接回车默认的即可。
如下所示:
Enter elasticsearch host: log.example.comEnter elasticsearch port: 9200Use SSL? t/f: tEnter optional basic-auth username (or leave blank): es_adminEnter optional basic-auth password (or leave blank):Enter optional Elasticsearch URL prefix (prepends a string to the URL of every request):New index name? (Default elastalert_status)Name of existing index to copy? (Default None)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning)New index elastalert_status createdDone!
3.创建配置文件
sudo cp config.yaml.example config.yamlsudo vi config.yaml
根据自己的具体情况进行修改
比如我这里的elasticsearch是ssl 并需要用户登陆的,配置大致如下:
run_every: minutes: 1buffer_time: minutes: 15es_host: log.example.comes_port: 9200use_ssl: Truees_send_get_body_as: GETes_username: es_admines_password: es_passwordwriteback_index: elastalert_statusalert_time_limit: days: 2
以同样的方式配置规则
cd example_rules/sudo cp example_frequency.yaml my_rule.yamlsudo vi my_rule.yaml
这里就是根据具体的elasticsearch的信息进行配置
es_host: log.example.comes_port: 9200use_ssl: Truees_username: es_admines_password: es_password#name属性要求唯一,这里最好能标示自己的产品name: My-Product Exception Alert#类型,我选择任何匹配的条件都发送邮件警告type: any#需要监控的索引,支持通配index: logstash-*#下面两个随意配置num_events: 50timeframe: hours: 4#根据条件进行过滤查询(这里我只要出现异常的日志,并且排除业务异常(自定义异常))filter:- query: query_string: query: "message: *exception* AND message: (!*BusinessException*) AND message: (!*ServiceException*)"#email的警告方式alert:- "email"#增加邮件内容,这里我附加一个日志访问路径alert_text: "Ref Log https://log.example.com:5601/app/kibana"#SMTP协议的邮件服务器相关配置(我这里是腾讯企业邮箱)smtp_host: smtp.exmail.qq.comsmtp_port: 25#用户认证文件,需要user和password两个属性smtp_auth_file: smtp_auth_file.yamlemail_reply_to: no-reply@example.comfrom_addr: no-reply@example.com #需要接受邮件的邮箱地址列表email:- "user1@example.com"- "user1@example.com"
接下来创建smtp_auth_file.yaml
sudo touch smtp_auth_file.yamlsudo vi smtp_auth_file.yaml##配置文件内容user: "no-reply@example.com"password: "password"
现在可以简单测试一下配置文件是否正确
sudo elastalert-test-rule ./my_rule.yaml
如果有问题,就检查配置文件。
然后启动运行一下试试:
sudo python -m elastalert.elastalert --verbose --rule my_rule.yaml
然后故意产生一下异常试试,比如
if(true){ throw new NullPointerException("测试日志异常监控服务");}
执行一下,一般没啥问题,邮件应该就能收到了,有问题就检查配置文件。
4.我是要监控服务,所以要让elastalert以服务的形式运行
首先创建elastalert的配置目录和相关文件
sudo mkdir /etc/elastalertcd /etc/elastalert-- 复制配置文件sudo cp /usr/local/dev/elastalert/config.yaml config.yamlsudo mkdir rulescd rules-- 复制规则文件sudo cp /usr/local/dev/elastalert/example_rules/my_rule.yaml my_rule.yaml-- 复制邮件用户认证文件sudo cp /usr/local/dev/elastalert/example_rules/smtp_auth_file.yaml smtp_auth_file.yaml
接下来修改配置文件
修改 config.yaml 中
rules_folder: /etc/elastalert/rules
修改 my_rule.yaml中
smtp_auth_file: /etc/elastalert/rules/umu_smtp_auth_file.yaml
接下来就是创建systemd服务了
cd /etc/systemd/systemsudo touch elastalert.servicesudo vi elastalert.service
elastalert.service 内容
[Unit]Description=elastalertAfter=elasticsearch.service[Service]Type=simpleUser=rootGroup=rootRestart=on-failureWorkingDirectory=/usr/local/dev/elastalertExecStart=/usr/bin/elastalert --config /etc/elastalert/config.yaml --rule /etc/elastalert/rules/my_rule.yaml[Install]WantedBy=multi-user.target
保存退出。
启动服务
sudo systemctl start elastalert
查看状态
sudo systemctl status elastalert
不出意外的话,你将看到绿色的Active: active (running)
至此,日志的异常监控服务就搭建好了,好的,收工!
- ELK中利用elastalert监控日志中的异常,发送邮件警告
- ElastAlert对ELK日志进行邮箱报警
- ELK日志监控
- elk监控tomcat日志
- 收集Tomcat异常日志并发送邮件
- 收集Tomcat异常日志并发送邮件
- 收集Tomcat异常日志并发送邮件
- ELK日志监控系统搭建
- ELK日志监控系统搭建
- ELK日志监控系统搭建
- SQL SERVER 自动监控数据库异常,自动发送邮件通知
- 利用oracle发送邮件功能简单监控数据库运行状态
- linux定时监控网络连接,利用python发送邮件
- WebLogic中配置给管理发送警告邮件 (视频)
- C#中利用SMTPClient发送邮件
- ELK Stack 日志分析监控平台
- ELK实战-Logstash:监控日志文件
- ELK Stack 日志分析监控平台
- hibernate执行mysql函数或者存储过程错误定义名称
- JAVA帮助文档全系列 JDK1.5 JDK1.6 JDK1.7 官方中英完整版下载
- 模拟器定位iOS
- android多国语言文件夹文件汇总
- HDU 2120Ice_cream's world I
- ELK中利用elastalert监控日志中的异常,发送邮件警告
- 【挖坑记】JZOJ 4714 公约数
- 继承、多态、重载和重写
- Java三大主流框架概述(转载)
- u-boot移植5:添加自动补全和默认分区表
- Android拍照后图片旋转问题
- 浮在fragmelayout上面的view点击不到问题的处理
- 第五天:JAVA中的方法和格式以及例题
- MySQL数据同步的实现方式之主从复制