Elasticsearch 基於ElastAlert發送郵件報警

ElastAlert

   ElastAlert 是 Yelp 公司開源的一套用 Python2.6 寫的報警框架。屬於後來 Elastic.co 公司出品的 Watcher 同類產品。官網地址見：http://elastalert.readthedocs.org/。

   當咱們把ELK搭建好後，也順利的收集到日誌了，可是日誌裏發生了什麼事，咱們並不能第一時間知道日誌裏到底發生了什麼，運維須要第一時間知道日誌發生了什麼事，因此就有了ElastAlert的郵件報警，以下是詳細操做

 

環境

Centos 7.0

elasticsearch 5.2.2

logstash 5.2.2

kibana 5.2.2

依賴

參見 http://elastalert.readthedocs.io/en/latest/running_elastalert.html#requirements

• Elasticsearch

• ISO8601 or Unix timestamped data

• Python 2.6 or 2.7

• pip, see requirements.txt

1，下載最新elastalert並安裝模塊

# yum install python-setuptools

# git clone https://github.com/Yelp/elastalert.git

# cd elastalert

# pip install -U setuptools

# python setup.py install

# pip install -r requirements.txt  

2，設置配置文件和規則Rule

[root@localhost ~]# cd /usr/local/elastalert/

[root@localhost elastalert]# cp config.yaml.example config.yaml

[root@localhost elastalert]# vim config.yaml

# This is the folder that contains the rule yaml files

# Any .yaml file will be loaded as a rule

rules_folder: es_rules

# How often ElastAlert will query Elasticsearch

# The unit can be anything from weeks to seconds

run_every:

  minutes: 1

# ElastAlert will buffer results from the most recent

# period of time, in case some log sources are not in real time

buffer_time:

  minutes: 15

# The Elasticsearch hostname for metadata writeback

# Note that every rule can have its own Elasticsearch host

es_host: 192.168.0.33

# The Elasticsearch port

es_port: 9200

# The AWS region to use. Set this when using AWS-managed elasticsearch

#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.

# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

# for details

#profile: test

# Optional URL prefix for Elasticsearch

#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch

#use_ssl: True

# Verify TLS certificates

#verify_certs: True

# GET request with body is the default option for Elasticsearch.

# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.

# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport

# for details

#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch

#es_username: someusername

#es_password: somepassword

# The index on es_host which is used for metadata storage

# This can be a unmapped index, but it is recommended that you run

# elastalert-create-index to set a mapping

writeback_index: elastalert_status

# If an alert fails for some reason, ElastAlert will retry

# sending the alert until this time period has elapsed

alert_time_limit:

  days: 2

 

3，發送郵件的郵箱設置

[root@localhost elastalert]# vim example_rules/smtp_auth_file.yaml 

user: jet.liu@qq.com

password: xxx

4，配置規則

 [root@iZ6232hr6ksZ elastalert]# vim example_rules/example_frequency.yaml

 # Alert when the rate of events exceeds a threshold

# (Optional)

# Elasticsearch host

# es_host: elasticsearch.example.com

# (Optional)

# Elasticsearch port

# es_port: 14900

# (OptionaL) Connect with SSL to Elasticsearch

#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch

#es_username: someusername

#es_password: somepassword

# (Required)

# Rule name, must be unique

name: Example rule

# (Required)

# Type of alert.

# the frequency rule type alerts when num_events events occur with timeframe time

type: frequency

# (Required)

# Index to search, wildcard supported

index: logstash-*

# (Required, frequency specific)

# Alert when this many documents matching the query occur within a timeframe

#限定時間內，發生事件次數

num_events: 1

# (Required, frequency specific)

# num_events must occur within this amount of time to trigger an alert

#限定時間刻度

timeframe:

 # hours: 4

 #1分鐘

  minutes: 1

# (Required)

# A list of Elasticsearch filters used for find events

# These filters are joined with AND and nested in a filtered query

# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

filter:

#這條是發現日誌中有ERROR的字段，就發郵件報警，這段很重要，若是寫錯了就會報錯

- query:

    match:

      message:

        query: "ERROR"  

#SMTP協議的郵件服務器相關配置

smtp_host: smtp.exmail.qq.com

smtp_prot: 25

#用戶認證文件，須要user和password兩個屬性

smtp_auth_file: /usr/local/elastalert/example_rules/smtp_auth_file.yaml

#回覆給那個郵箱

email_reply_to: jet.liu@qq.com

#從哪一個郵箱發送

from_addr: jet.liu@qq.com

# (Required)

# The alert is use when a match is found

alert:

- "email"

# (required, email specific)

# a list of email addresses to send alerts to

email:

#接收報警郵件的郵箱

- "jet.liu@qq.com"

5，測試規則

[root@localhost elastalert]#nohup python -m elastalert.elastalert --verbose --rule example_rules/example_frequency.yaml

6，檢測郵件狀況

郵件已收到 ，當日志中發現有ERROR都會發郵件報警