ELK 로그 경보 플러그인 ElastAlert 및 스파이크 경보 구성
Elasticsearch ( ) 。 Elasticsearch, , 。 , , 。
, , 。
ElastAlert :
Y X ”(frequency )
”(spike
Y X ”(flatline
/ ”(blacklist whitelist )
”(any )
”(change )
”(new_term )
(cardinality )
、 、 、 ; es
python3.6 설치
tar xf Python-3.6.8.tar.xz
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release
cd Python-3.6.8/
./configure && make && make install
mkdir -p /app/elastalert/rule
elastalert 설치
cd /app/elastalert && git clone https://github.com/Yelp/elastalert.git
cd /app/elastalert/elastalert && pip3 install -r requirements.txt
pip3 uninstall elasticsearch
pip3 install "elasticsearch>=5.0.0"
# elasticsearch ,elasticsearch6 pip elasticsearch , pip3 install "elasticsearch>=5.0.0" , requirements.txt elasticsearch
python3 setup.py install
elastalert 구성
cp/app/elastalert/elastalert/config.yaml.example/app/elastalert/elastalert/config.yaml
필요에 따라 수정하면 된다
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: /app/elastalert/rule
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 1
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: es IP
# The Elasticsearch port
es_port: 9200
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to Elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 1
# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
#logging:
# version: 1
# incremental: false
# disable_existing_loggers: false
# formatters:
# logline:
# format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
#
# handlers:
# console:
# class: logging.StreamHandler
# formatter: logline
# level: DEBUG
# stream: ext://sys.stderr
#
# file:
# class : logging.FileHandler
# formatter: logline
# level: DEBUG
# filename: elastalert.log
#
# loggers:
# elastalert:
# level: WARN
# handlers: []
# propagate: true
#
# elasticsearch:
# level: WARN
# handlers: []
# propagate: true
#
# elasticsearch.trace:
# level: WARN
# handlers: []
# propagate: true
#
# '': # root logger
# level: WARN
# handlers:
# - console
# - file
# propagate: false
#
rules_folder: ElastAlert 。 .yaml 。 ,ElastAlert 。 ,ElastAlert ,
run_every: ElastAlert Elasticsearch
buffer_time: , 45
Es_host: elasticsearch host
Es_port: elasticsearch
writeback_index: ElastAlert
writeback_alias:
alert_time_limit:
구성이 완료되면 elastalert-create-index --config config를 실행합니다.yaml
스파이크 경보 플러그인 설치
wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip
unzip elastalert-dingtalk-plugin-master.zip
cd elastalert-dingtalk-plugin-master
pip3 install pyOpenSSL==16.2.0
pip3 install setuptools==46.1.3
cp -r elastalert_modules /app/elastalert/
규칙 범례
# example_rules / 。
example_spike.yaml
“ ” , 。 2 2 3 , 。
example_frequency.yaml
“ ” , 。 4 50 。
example_change.yaml
“ ” , , 。 , “ ” “ country_name” , 24 。
example_new_term.yaml
“ ” , , 。 , (“ ”,“ ”) , 。
경고 규칙 구성
nginx 5XX 상태를 검사하여 1분 이내에 5회 이상 못을 박아 경고합니다
cat /app/elastalert/rule/nginx.yaml
name: the count of servnginx log that reponse status code is 5xx is greater than 5 in the period 1 minute
index: nginx-*
type: frequency
num_events: 5
timeframe: {minutes: 1}
filter:
- range:
status:
from: 500
to: 599
alert_text: "
: {}
: {}
: {}
: {}
: {}
: {}
"
alert_text_type: alert_text_only
alert_text_args:
- host
- method
- request
- status
- upstream
- num_hits
alert:
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"
dingtalk_webhook: "XXXXXX"
dingtalk_msgtype: "text"
#
name: 。 , ElastAlert
type: , 。 frequency “ num_events timeframe
index:
num_events: frequency , 。
timeframe: num_events 。
filter: Elasticsearch
alert_text:
alert_text_args: alert_text
#
https://elastalert.readthedocs.io/en/latest/recipes/writing_filters.html#writingfilters
alert:
#
https://elastalert.readthedocs.io/en/latest/ruletypes.html#alerts
테스트 규칙
elastalert-test-rule example_rules/my_rule.yaml
디버그 실행
/app/elastalert/bin/python3 -m elastalert.elastalert --verbose --rule /app/elastalert/rule/nginx.yaml
생산 운행
공식적으로 슈퍼비저로 시작하자고 제안했는데 테스트를 할 때 설정을 읽지 못하고 포기했어요.
nohup /app/elastalert/bin/python3 -m elastalert.elastalert --config /app/elastalert/elastalert/config.yaml --verbose >>/app/elastalert/nohup.out 2>&1 &
참조 블로그
https://www.cnblogs.com/opesn/p/12994199.html
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
다양한 언어의 JSONJSON은 Javascript 표기법을 사용하여 데이터 구조를 레이아웃하는 데이터 형식입니다. 그러나 Javascript가 코드에서 이러한 구조를 나타낼 수 있는 유일한 언어는 아닙니다. 저는 일반적으로 '객체'{}...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.