基於日誌報警插件 elastalert 實現告警

1.官方http://elastalert.readthedocs.io/en/latest/

2.報警規則示例

http://elastalert.readthedocs.io/en/latest/elastalert.html#rule-types

admin_asdsa.yaml: |
    name: admin_asdsa
    type: frequency
    owner: admin
    description: "2018-06-13 17:54:55"
    index: logstash-*
    num_events: 1
    is_enabled: false
    timeframe:
      minutes: 60
    filter:
    - query:
        query_string:
          query: 'kubernetes.labels.name: test'
    - query:
        query_string:
          query: 'kubernetes.namespace_name: admin'
    - query:
        wildcard:
          log: '*Listening*'
    regex: '*Listening*'
    alert:
    - email
    smtp_host: smtp.exmail.qq.com
    smtp_port: 465
    smtp_ssl: true
    from_addr: tester@tenxcloud.com
    smtp_auth_file: /opt/config/email_config.yaml
    email:
    - gaoyawei@xxxx.com
    alert_subject: '[xxx]告警提醒'
    alert_text_type: alert_text_only
    alert_text: "親愛的++用戶:\n\n      根據您在【管理與日誌】- [告警設置] 設置的 {} 策略，您的服務 {} 日誌告警已觸發，日誌正則
      {} 已出現 {} 次! \n\n\n以上問題請請儘快處理，謝謝!"
    alert_text_args:
    - name
    - kubernetes.labels.name
    - regex
    - num_hits

3.配置文件

http://elastalert.readthedocs.io/en/latest/elastalert.html#configuration

  elastalert_config: |-
    ---
    rules_folder: /opt/rules
    scan_subdirectories: false
    run_every:
      minutes: 1
    buffer_time:
      minutes: 15
    es_host: elasticsearch-logging
    es_port: 9200
    writeback_index: elastalert_status
    use_ssl: false
    alert_time_limit:
      days: 2
  email_config: |-
    ---
    user: tester@xxx.com
    password: xxxx

4.具體規則類型，以及告警的方式查看官方文檔