Elastalert - ES告警组件

简单可拓展,用于ES数据不一致,峰值等异常情形下的告警组件php

工做方式

  1. 周期性轮询ES
  2. 数据传入elastalert规则引擎
  3. 规则匹配则转入elastalert告警器中

规则类型

  • any:事件匹配指定filter
  • change:指定字段在timeframe内发生值变更
  • frequency:timeframe内发生几回以上事件
  • flatline:timeframe内发生几回如下事件
  • spike:事件频率升高或下降
  • blacklist/whitelist:指定字段出现黑白名单
  • new_term:指定字段出现新值
  • cardinality:指定字段去重基数超出或低于一个阈值

Kibana插件支持

  • ./bin/kibana-plugin install 'https://git.bitsensor.io/front-end/elastalert-kibana-plugin/builds/artifacts/6.2.3/raw/artifact/elastalert-kibana-plugin-latest.zip?job=build'
  • Kibana配置增长elastalert.serverHost: es主机

服务启动

docker run -d -p 3030:3030 \
    -v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
    -v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
    -v `pwd`/rules:/opt/elastalert/rules \
    -v `pwd`/rule_templates:/opt/elastalert/rule_templates \
    --net="host" \
    --name elastalert bitsensor/elastalert:latest

服务器配置示例

{
      "appName": "elastalert-server",
      "port": 3030,
      "elastalertPath": "/opt/elastalert",
      "verbose": false,
      "es_debug": false,
      "debug": false,
      "rulesPath": {
        "relative": true,
        "path": "/rules"
      },
      "templatesPath": {
        "relative": true,
        "path": "/rule_templates"
      }
    }

主配置示例

config.yamlhtml

# This is the folder that contains the rule yaml files
    # Any .yaml file will be loaded as a rule
    rules_folder: /opt/elastalert/rules

    # In order to prevent error "rule duplicated"
    scan_subdirectories: false

    # How often ElastAlert will query Elasticsearch
    # The unit can be anything from weeks to seconds
    run_every:
      minutes: 1

    # ElastAlert will buffer results from the most recent
    # period of time, in case some log sources are not in real time
    buffer_time:
      minutes: 3

    # The Elasticsearch hostname for metadata writeback
    # Note that every rule can have its own Elasticsearch host
    es_host: elasticsearch-efk.$NAMESPACE.svc

    # The Elasticsearch port
    es_port: 9200

    # Optional URL prefix for Elasticsearch
    #es_url_prefix: elasticsearch

    # Connect with TLS to Elasticsearch
    use_ssl: False

    # Use SSL authentication with client certificates client_cert must be
    # a pem file containing both cert and key for client
    verify_certs: False
    #ca_certs: /path/to/cacert.pem
    #client_cert: /path/to/client_cert.pem
    #client_key: /path/to/client_key.key

    # GET request with body is the default option for Elasticsearch.
    # If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
    # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
    # for details
    #es_send_get_body_as: GET

    # Option basic-auth username and password for Elasticsearch
    #es_username: someusername
    #es_password: somepassword

    # The index on es_host which is used for metadata storage
    # This can be a unmapped index, but it is recommended that you run
    # elastalert-create-index to set a mapping
    writeback_index: elastalert_status

    # If an alert fails for some reason, ElastAlert will retry
    # sending the alert until this time period has elapsed
    alert_time_limit:
      days: 2

    # Setup report smtp config
    from_addr: ElastAlert@yoursite.com
    smtp_host: smtp.exmail.qq.com
    smtp_port: 465
    smtp_ssl: True
    smtp_auth_file: /opt/elastalert/config/smtp_auth.yaml

smtp_auth.yamlgit

user: dev@maifusha.com
    password: yourpassword

告警规则示例

  • 24h内数据进行规则测试:elastalert-test-rule [--config 可选配置路径] rule.yaml
  • filter type
    • query:支持模糊查询
    • term:不支持模糊查询,查询时需改成 字段名.raw:查询串
name: Report Web Error
    type: any
	#es_host: elasticsearch.example.com
	#es_port: 14900
    index: web.error-%Y.%m.%d
    use_strftime_index: True #只查询匹配了index时间格式化正则的检索
    #num_events: 3
    #timeframe:
    #  minutes: 3

	# ES的DSL查询语法(最终查询结构为 {'filter': {'bool': {'must': [config.filter]}}})
    filter:
      - query_string:
          query: "app.environment: (production staging)"

    query_delay:
      minutes: 1
    realert: #下一次alert的最小时间间隔,期间的alert被简单丢弃(可与query_key结合使用)
      minutes: 1
    query_key: #alert去重的字段名(多个字段会致使检索上新建一个组合字段名以用于查询)
      - app.name
      - app.environment

    alert:
      - email
    email:
      - php@maifusha.com
    alert_subject: "[{1}报错]{0}"
    alert_subject_args:
      - app.name
      - app.environment

	alert_text: "Something happened with {0} at {1}"
	alert_text_type: alert_text_only
	alert_text_args: ["username", "@timestamp"]
    include: ["ip_address", "hostname", "status"] #限制输出的检索字段

	# 聚合一段时间内的alert,并一次性发出
	aggregation:
	  schedule: '2 4 * * mon,fri'
相关文章
相关标签/搜索