elastalert基于微信公众号报警

环境部署

安装其它的必需包

yum install -y zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel

1,下载、编译和安装 Python 2.7.13

wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tgz

tar zxf Python-2.7.13.tgz

cd Python-2.7.13

./configure

make && make install

2,为新版 Python 安装 setuptools

wget https://bootstrap.pypa.io/ez_setup.py -O - | python

setuptools 正确安装完成后，easy_install 命令就会被安装在 /usr/local/bin 目录下了。

为新版 Python 安装 pip

easy_install pip

pip list --format=legacy

pip (9.0.1)

setuptools (33.1.1)

创建软连接

mv /usr/bin/python /usr/bin/python2.6.6

ln -s /usr/local/bin/python2.7 /usr/bin/python

更新python导致yum源无法使用就解办法：

vim /usr/bin/yum

#!/usr/bin/python

改为：

#!/usr/bin/python2.6

3,下载最新elastalert并安装模块

git clone https://github.com/Yelp/elastalert.git

yum -y install libffi-devel

cd  elastalert

python setup.py install

PS：报错

wget http://peak.telecommunity.com/dist/ez_setup.py

python ez_setup.py

pip install setuptools==34.3.3

pip install -r requirements.txt

pip install "elasticsearch==5.0.0" 选择自己的版本

查看pip list

pip list --format=legacy

安装完后，会在 /usr/local/bin/ 下生成4个elastalert命令

ls /usr/local/bin/elastalert*

/usr/local/bin/elastalert

/usr/local/bin/elastalert-rule-from-kibana

/usr/local/bin/elastalert-create-index

/usr/local/bin/elastalert-test-rule

###创建索引

elastalert-create-index

New index name (Default elastalert_status)

Name of existing index to copy (Default None)

New index elastalert_status created

Done!

################下边是测试的配置############################

#####修改配置文件

cd /opt/soft/elastalert

cp config.yaml.example config.yaml

vim config.yaml

rules_folder: example_rules ＃这是包含规则yaml文件的文件夹,(.yaml都作为规则加载)

run_every:

minutes: 1 #elastalert查询es的频率

buffer_time:

minutes: 15 #elastalert缓存时间段

es_host: 172.26.11.77 #es主机

es_port: 9200 #es端口

writeback_index: elastalert_status #elastalert设置的索引

alert_time_limit:

days: 1 #报警失败，最晚1天之内会再次报警，直到这个时间段过去

###配置邮箱用户名密码

vim /home/elastalert/elastalert/example_rules/smtp_auth_file.yaml

user: [email protected]

password: 1zxpfqBF-ibTw#gG ##这里的密码不是web页面登录的密码。而是机器码

cd example_rules

vim example_frequency.yaml

es_host: elk01

es_host: elk02

es_host: elk03

es_port: 9200

name: Example frequency rule

type: frequency

index: eas-172.25.11.112-server1-apusic.log.0-*

num_events: 1

timeframe:

minutes: 1 #出现的时间段

filter: #规则

- query:

query_string:

query: "field: value"

filter:

- query_string:

query: "message: 测试一下下"

######配置报警信息##########

alert_text: "jira服务出现问题"

#alert_text_type: alert_text_only

include: ["type", "ua", "log_time"] ###允许字段

#alert_text_type: exclude_fields

exclude: ["@timestamp", "_id", "_index", "_type"] ###排除字段

#attach_related: true

#top_count_keys: ["client_ip", "status"]

#############配置友好别名######

alert_text_type: alert_text_only （exclude_fields ##这个参数会显示默认报警注释）

alert_text: |

jira服务出现问题

主机: {}

请求URL: {}

HTTP状态码: {}

远程IP地址: {}

日志时间戳: {}

总查询次数: {}

总异常次数: {}

原始日志信息: {}

alert_text_args:

- client_ip

- ua

- status

- host

- log_time

- num_hits

- num_matches

- source

########配置邮件报警###############

smtp_host: cm-inv.com #SMTP协议的邮件服务器相关配置

smtp_port: 25

#邮箱用户认证

smtp_auth_file: /home/elastalert/elastalert/example_rules/smtp_auth_file.yaml

#回复给哪个邮箱

email_reply_to: [email protected]

#从哪个邮箱发送

from_addr: [email protected]

alert:

- "email"

#接收报警的邮箱

- "117[email protected]"

测试：

cd /opt/soft/elastalert/

python -m elastalert.elastalert --verbose --rule example_frequency.yaml

curl -X POST "http://172.26.11.79:9200/eas-172.25.11.112-server1-apusic.log.0-2017-07-25/test" -d ‘{ "@timestamp": "2017-07-25T11:43:30.000Z", "field": "value" }‘

#############以下是服务的配置#################################

mkdir /etc/elastalert

cd /etc/elastalert

复制配置文件

cp /opt/soft/elastalert/config.yaml ./

mkdir rules

复制规则文件

cp /opt/soft/elastalert/example_rules/example_frequency.yaml rules/

####修改配置文件

修改 config.yaml 中

vim config.yaml

rules_folder: /etc/elastalert/rules

##################配置微信报警#################################

cd /opt/soft/elastalert

wget -P elastalert_modules/ https://raw.githubusercontent.com/anjia0532/elastalert-wechat-plugin/master/wechat_qiye_alert.py

touch elastalert_modules/__init__.py

cd example_rules/

vim example_frequency.yaml

####配置微信报警######

alert:

- "elastalert_modules.wechat_qiye_alert.WeChatAlerter"

#设置微信企业号的appid

corp_id: wxc27a71b135ab

#设置微信企业号的Secret

secret: MQp6r1DYJ0wPCF-xRPYVvDWBJddgAnFBzHwJyVM

#后台登陆后【应用中心】->【选择应用】->【应用id】

##设置微信企业号应用id

agent_id: 100

##部门id

party_id: 1

##用户微信号

user_id: 10515480

## 标签id

tag_id: admin

######测试#######

python -m elastalert.elastalert

curl -X POST ‘http://172.26.11.77:9200/eas-172.25.11.112-server1-apusic.log.0-‘$(date +%Y.%m.%d)‘/test‘ -d ‘{"@timestamp": "‘$(date +%Y-%m-%d‘T‘%T%z)‘","field": "value"}‘

######报错#######

ERROR:root:Error while running alert WeChatAlerter: send message has error: ("bad handshake: Error([(‘SSL routines‘, ‘SSL3_GET_SERVER_CERTIFICATE‘, ‘certificate verify failed‘)],)",)

pip uninstall -y certifi && sudo pip install certifi==2015.04.28

pip install certifi==2015.04.28

启动服务

python -m elastalert.elastalert &

python -m elastalert.elastalert --config ./config.yaml

python elastalert/elastalert.py

安装完成，可以借鉴的文档

ElastAlert 基于Elasticsearch的监控告警 | 家的博客

https://anjia.ml/2017/02/14/elasticsearch-elastalert/

ELK中利用elastalert监控日志中的异常，发送邮件警告 - pujiaolin的专栏 - CSDN博客 http://blog.csdn.net/pujiaolin/article/details/52252950?locationNum=3

https://anjia.ml/2017/02/14/elasticsearch-elastalert/

Elasticsearch+ElastAlert微信报警 - 简书

http://www.jianshu.com/p/d318e0e843fd

https://github.com/anjia0532/elastalert-wechat-plugin