Elast Alert安装启动

silly_sinba

浏览: 130265 次
性别:
来自: 成都

最近访客更多访客>>

llllmnglf

lbyzx123

chenmfly

Jan111

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

安装elast alert的并不像安装文档写的那么easy，虽然如此下面这个博客还是可以推荐下：
http://blog.csdn.net/gamer_gyt/article/details/52917116

官网：http://elastalert.readthedocs.io/en/latest/elastalert.html#overview

1）解压安装:

解压后有一个config.yaml.example文件，将这个文件另存一份并命名为config.yaml。

配置该文件：

# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: example_rules

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
  minutes: 1

# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
  minutes: 3

# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: localhost

# The Elasticsearch port
es_port: 9200

# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test

# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch
#use_ssl: True

# Verify TLS certificates
#verify_certs: True

# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 2

在elasticsearch中创建索引:

elastalert-create-index

创建Rule：

在example_rules下面，修改example_frequency.yaml文件：

# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: Example frequency rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: cloud_platform-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 3

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  hours: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- term:
      _type: cloud_platform

# (Required)
# The alert is use when a match is found
alert:
- "email"

# (required, email specific)
# a list of email addresses to send alerts to
email:
- zhuoyp001@xxxx.com

email_from_field: zhuoyp001
email_add_domain: "@xxxx.com"
from_addr: zhuoyp001@xxxx.com

smtp_host: xxxx
smtp_port: 25
smtp_auth_file: smtp_auth_file.yaml

这里主要配置了alert的方式是email。

最后一行指定用户名密码的文件smtp_auth_file.yaml：

user: "zhuoyp001@xxxx.com"
password: "xxxx"

这样最简单的一个配置就完成了，当type: cloud_platform出现次数为3次后，就发告警邮件给zhuoyp001@xxxx.com。

2）启动：

python -m elastalert.elastalert --verbose --rule example_rules/example_frequency.yaml

正常情况下就启动了，我往logstash里面灌了几条日志，注意时间，eslast alert只去查询当前时间前2分钟内的索引，自己灌入的日志要改时间，让@timestamp满足查询的时间范围。

INFO:elastalert:Ran Example frequency rule from 2017-08-09 08:48 CST to 2017-08-09 08:50 CST: 7 query hits (0 already seen), 2 matches, 1 alerts sent
INFO:elastalert:Sleeping for 57.479314 seconds

问题&经验：

alert_time 索引不存在

之前启动的时候，一直报错，说需要排序的字段alert_time不存在。报错在elastalert/elastalert.py文件中。推测原因是因为之前我一直没有触发sent alert这个事件，因此alert_time没有写入索引。于是我把下面几行都注释掉了：

line 1386：sort = {'sort': {'alert_time': {'order': 'asc'}}}
line 1391：query.update(sort)

line1503：query['sort'] = {'alert_time': {'order': 'desc'}}

line1639：sort = {'sort': {'until': {'order': 'desc'}}}
line1644：query.update(sort)

再次启动就没有报错了。

最后我触发了发邮件功能后，再次将这些注释掉的行打开，也没有报错可以正常运行。