elastalter郵件告警

一：簡介

ElastAlert是一個簡單的框架，用於經過Elasticsearch中的數據異常警告，峯值或其餘感興趣的模式。

監控類型

• 「匹配Y時間內有X個事件的地方」（frequency類型）
• 「事件發生率增長或減小時匹配」（spike類型）
• 「在Y時間內少於X事件時匹配」（flatline類型）
• 「當某個字段匹配黑名單/白名單時匹配」（blacklist和whitelist類型）
• 「匹配任何匹配給定過濾器的事件」（any類型）
• 「在一段時間內某個字段有兩個不一樣的值時匹配」（change類型）

二：部署安裝

因爲Yelp官方提供有docker鏡像，docker的便捷性，因此採用docker進行部署

githup官方庫：https://github.com/Yelp/elastalert

docker image：bitsensor/elastalert:latest

安裝方式：

下載相應的配置文件
git clone https://github.com/bitsensor/elastalert.git; cd elastalert
啓動鏡像
docker run -d -p 3030:3030 \
    -v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
    -v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
    -v `pwd`/rules:/opt/elastalert/rules \
    -v `pwd`/rule_templates:/opt/elastalert/rule_templates \
    --net="host" \
    --name elastalert bitsensor/elastalert:latest

三：配置方式

詳細資料查看官方資料。

規則配置

# Rule name, must be unique
name: web request status

# Type of alert.
#type: spike
type: frequency

# num_events must occur within this amount of time to trigger an alert
# 在5m內，查到的數量多餘20，曾觸發報警
timeframe:
  minutes: 5
num_events: 20


# Index to search, wildcard supported
# 索引和時間filed
index: web-2018.06.26
timestamp_field: "@timestamp"

# 匹配規則
filter:
- query:
    term:
      status:
        value: 404

# 郵件標題 
alert_subject: "Surge in attacks on {}"
alert_subject_args:
  - http_host

# 郵件內容
alert_text_type: alert_text_only
alert_text: "Surge in attacks on {}"
alert_text_args:
  - host

# The alert is use when a match is found
alert:
  - "email"
email:
  - "fjpu@ulucu.com"

四：查看數據

1.elastalter會生成一個elastalter_status索引，裏面會記錄rule匹配的詳細信息

{
  "_index": "elastalert_status",
  "_type": "elastalert",
  "_id": "AWQ7I3EmVEbrE4vFoghn",
  "_version": 1,
  "_score": null,
  "_source": {
    "alert_info": {
      "type": "email",
      "recipients": [
        "fjpu@ulucu.com"
      ]
    },
    "@timestamp": "2018-06-26T08:08:55.846839Z",
    "alert_sent": true,
    "match_body": {
      "@timestamp": "2018-06-26T08:04:51Z",
      "agent": "ulucuC2/3.4.1 (iPhone; iOS 9.3.2; Scale/3.00)",
      "upstreamhost": "127.0.0.1:9000",
      "clientip": "114.84.159.101",
      "size": 595,
      "request_body": "-",
      "request_method": "GET",
      "responsetime": 0.02,
      "type": "web",
      "status": "404",
      "_type": "web",
      "tags": [
        "nginx"
      ],
      # 匹配到了116條
      "num_hits": 116,
      "upstreamtime": "0.020",
      "host": "10.105.44.249",
      "http_host": "website.huidian.api.ulucu.com",
      "proxy_add_x_forwarded_for": "114.84.159.101, 114.84.159.101",
      "num_matches": 5,
      "_index": "web-2018.06.26",
      "url": "/index.php/device/get_device_pic",
      "query_string": "av=1&platform=ios&store_id=22632&token=F69A6020A9C858D91072EF631DAD698F66F3C89D99450699BA9D4A7667E8AA",
      "referer": "-",
      "_id": "AWQ7H7hnVEbrE4vFobUE",
      "@version": "1"
    },
    "rule_name": "web request status",
    "match_time": "2018-06-26T08:04:51Z",
    "alert_time": "2018-06-26T08:08:55.471461Z"
  },
  "fields": {
    "alert_time": [
      1530000535471
    ],
    "match_time": [
      1530000291000
    ],
    "@timestamp": [
      1530000535846
    ]
  },
  "sort": [
    1530000535846
  ]
}