环境部署
安装其它的必需包
yum install -y zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel
1,下载、编译和安装 Python 2.7.13
wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tgz
tar zxf Python-2.7.13.tgz
cd Python-2.7.13
./configure
make && make install
2,为新版 Python 安装 setuptools
wget https://bootstrap.pypa.io/ez_setup.py -O - | python
setuptools 正确安装完成后,easy_install 命令就会被安装在 /usr/local/bin 目录下了。
为新版 Python 安装 pip
easy_install pip
pip list --format=legacy
pip (9.0.1)
setuptools (33.1.1)
创建软连接
mv /usr/bin/python /usr/bin/python2.6.6
ln -s /usr/local/bin/python2.7 /usr/bin/python
更新python导致yum源无法使用就解办法:
vim /usr/bin/yum
#!/usr/bin/python
改为:
#!/usr/bin/python2.6
3,下载最新elastalert并安装模块
git clone https://github.com/Yelp/elastalert.git
yum -y install libffi-devel
cd elastalert
python setup.py install
PS:报错
wget http://peak.telecommunity.com/dist/ez_setup.py
python ez_setup.py
pip install setuptools==34.3.3
pip install -r requirements.txt
pip install "elasticsearch==5.0.0" 选择自己的版本
查看pip list
pip list --format=legacy
安装完后,会在 /usr/local/bin/ 下生成4个elastalert命令
ls /usr/local/bin/elastalert*
/usr/local/bin/elastalert
/usr/local/bin/elastalert-rule-from-kibana
/usr/local/bin/elastalert-create-index
/usr/local/bin/elastalert-test-rule
###创建索引
elastalert-create-index
New index name (Default elastalert_status)
Name of existing index to copy (Default None)
New index elastalert_status created
Done!
################下边是测试的配置############################
#####修改配置文件
cd /opt/soft/elastalert
cp config.yaml.example config.yaml
vim config.yaml
rules_folder: example_rules #这是包含规则yaml文件的文件夹,(.yaml都作为规则加载)
run_every:
minutes: 1 #elastalert查询es的频率
buffer_time:
minutes: 15 #elastalert缓存时间段
es_host: 172.26.11.77 #es主机
es_port: 9200 #es端口
writeback_index: elastalert_status #elastalert设置的索引
alert_time_limit:
days: 1 #报警失败,最晚1天之内会再次报警,直到这个时间段过去
###配置邮箱用户名密码
vim /home/elastalert/elastalert/example_rules/smtp_auth_file.yaml
user: [email protected]
password: 1zxpfqBF-ibTw#gG ##这里的密码不是web页面登录的密码。而是机器码
cd example_rules
vim example_frequency.yaml
es_host: elk01
es_host: elk02
es_host: elk03
es_port: 9200
name: Example frequency rule
type: frequency
index: eas-172.25.11.112-server1-apusic.log.0-*
num_events: 1
timeframe:
minutes: 1 #出现的时间段
filter: #规则
- query:
query_string:
query: "field: value"
filter:
- query_string:
query: "message: 测试一下下"
######配置报警信息##########
alert_text: "jira服务出现问题"
#alert_text_type: alert_text_only
include: ["type", "ua", "log_time"] ###允许字段
#alert_text_type: exclude_fields
exclude: ["@timestamp", "_id", "_index", "_type"] ###排除字段
#attach_related: true
#top_count_keys: ["client_ip", "status"]
#############配置友好别名######
alert_text_type: alert_text_only (exclude_fields ##这个参数会显示默认报警注释)
alert_text: |
jira服务出现问题
主机: {}
请求URL: {}
HTTP状态码: {}
远程IP地址: {}
日志时间戳: {}
总查询次数: {}
总异常次数: {}
原始日志信息: {}
alert_text_args:
- client_ip
- ua
- status
- host
- log_time
- num_hits
- num_matches
- source
########配置邮件报警###############
smtp_host: cm-inv.com #SMTP协议的邮件服务器相关配置
smtp_port: 25
#邮箱用户认证
smtp_auth_file: /home/elastalert/elastalert/example_rules/smtp_auth_file.yaml
#回复给哪个邮箱
email_reply_to: [email protected]
#从哪个邮箱发送
from_addr: [email protected]
alert:
- "email"
#接收报警的邮箱
- "117[email protected]"
测试:
cd /opt/soft/elastalert/
python -m elastalert.elastalert --verbose --rule example_frequency.yaml
curl -X POST "http://172.26.11.79:9200/eas-172.25.11.112-server1-apusic.log.0-2017-07-25/test" -d ‘{ "@timestamp": "2017-07-25T11:43:30.000Z", "field": "value" }‘
#############以下是服务的配置#################################
mkdir /etc/elastalert
cd /etc/elastalert
复制配置文件
cp /opt/soft/elastalert/config.yaml ./
mkdir rules
复制规则文件
cp /opt/soft/elastalert/example_rules/example_frequency.yaml rules/
####修改配置文件
修改 config.yaml 中
vim config.yaml
rules_folder: /etc/elastalert/rules
##################配置微信报警#################################
cd /opt/soft/elastalert
wget -P elastalert_modules/ https://raw.githubusercontent.com/anjia0532/elastalert-wechat-plugin/master/wechat_qiye_alert.py
touch elastalert_modules/__init__.py
cd example_rules/
vim example_frequency.yaml
####配置微信报警######
alert:
- "elastalert_modules.wechat_qiye_alert.WeChatAlerter"
#设置微信企业号的appid
corp_id: wxc27a71b135ab
#设置微信企业号的Secret
secret: MQp6r1DYJ0wPCF-xRPYVvDWBJddgAnFBzHwJyVM
#后台登陆后【应用中心】->【选择应用】->【应用id】
##设置微信企业号应用id
agent_id: 100
##部门id
party_id: 1
##用户微信号
user_id: 10515480
## 标签id
tag_id: admin
######测试#######
python -m elastalert.elastalert
curl -X POST ‘http://172.26.11.77:9200/eas-172.25.11.112-server1-apusic.log.0-‘$(date +%Y.%m.%d)‘/test‘ -d ‘{"@timestamp": "‘$(date +%Y-%m-%d‘T‘%T%z)‘","field": "value"}‘
######报错#######
ERROR:root:Error while running alert WeChatAlerter: send message has error: ("bad handshake: Error([(‘SSL routines‘, ‘SSL3_GET_SERVER_CERTIFICATE‘, ‘certificate verify failed‘)],)",)
pip uninstall -y certifi && sudo pip install certifi==2015.04.28
pip install certifi==2015.04.28
启动服务
python -m elastalert.elastalert &
python -m elastalert.elastalert --config ./config.yaml
python elastalert/elastalert.py
安装完成,可以借鉴的文档
ElastAlert 基于Elasticsearch的监控告警 | 家的博客
https://anjia.ml/2017/02/14/elasticsearch-elastalert/
ELK中利用elastalert监控日志中的异常,发送邮件警告 - pujiaolin的专栏 - CSDN博客 http://blog.csdn.net/pujiaolin/article/details/52252950?locationNum=3
https://anjia.ml/2017/02/14/elasticsearch-elastalert/
Elasticsearch+ElastAlert微信报警 - 简书
http://www.jianshu.com/p/d318e0e843fd
https://github.com/anjia0532/elastalert-wechat-plugin