关于elk:Censtos7-安装部署-elastalert日志告警

41次阅读

共计 5307 个字符,预计需要花费 14 分钟才能阅读完成。

装置依赖包

yum -y install gcc libffi-devel python-devel openssl-devel4 ca-certificates openssl-dev openssl python2-dev python2 py2-pip py2-yaml libffi-dev gcc musl-dev wget

yum -y install wget openssl openssl-devel gcc gcc-c++

下载 Python3.6.9
wget https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz

解压,编译装置
tar xf Python-3.6.9.tgz

cd Python-3.6.9./configure --prefix=/usr/local/python --with-openssl

make && make install

创立软链接,降级 pip
ln -s /usr/local/python/bin/python3 /usr/bin/python3

ln -s /usr/local/python/bin/pip3 /usr/bin/pip3

pip install --upgrade pip

验证
python -V

下载安装 elastalert

git clone https://github.com/Yelp/elastalert.git
cd elastalert
pip3 install "elasticsearch<7,>6"
pip3 install -r requirements.txt
python3 setup.py install

装置胜利后能够看到四个命令

ll /usr/local/python/bin/elastalert*
    /usr/local/python/bin/elastalert
    /usr/local/python/bin/elastalert-create-index
    /usr/local/python/bin/elastalert-rule-from-kibana
    /usr/local/python/bin/elastalert-test-rule
软连贯到 /usr/bin 下, 方便使用
ln -s /usr/local/python/bin/elastalert* /usr/bin
应用
官网文档:https://elastalert.readthedocs.io

规定文档:https://elastalert.readthedocs.io/en/latest/ruletypes.html

依据模板来写 config.yaml

cp config.yaml.example config.yaml

vim config.yaml

配置文件模板
# 用来加载 rule 的目录,默认是 example_rules
rules_folder: rules
# 用来设置定时向 elasticsearch 发送申请,也就是告警执行的频率
run_every:
  minutes: 1
# 用来设置申请里工夫字段的范畴
buffer_time:
  minutes: 15
# elasticsearch 的 host 地址
es_host: 10.3.0.41
# elasticsearch 的端口
es_port: 9200
# elastalert 产生的日志在 elasticsearch 中的创立的索引
writeback_index: elastalert_status
# 失败重试的工夫限度
alert_time_limit:
  #days: 2
  minutes: 15
创立告警索引
执行 elastalert-create-index 命令在 ES 创立索引,这不是必须的步骤,然而强烈建议创立。因为对于审计和测试很有用,并且重启 ES 不影响计数和发送 alert.

$ elastalert-create-index
/usr/lib/python2.7/site-packages/elastalert-0.1.37-py2.7.egg/elastalert/create_index.py:65: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  data = yaml.load(config_file)
Elastic Version:6
Mapping used for string:{'type': 'keyword'}
New index elastalert_status created
Done!
  • Rule 配置
    它通过将 Elasticsearch 与两种类型的组件(规定类型和警报)联合应用。定期查问 Elasticsearch,并将数据传递到规定类型,该规定类型确定何时找到匹配项。产生匹配时,将为该警报提供一个或多个警报,这些警报将依据匹配采取行动。

这是由一组规定配置的,每个规定定义一个查问,一个规定类型和一组警报。

ElastAlert 蕴含几种具备常见监督范例的规定类型:

“匹配 Y 工夫有 X 个事件的中央”(frequency type)

“当事件发生率减少或缩小时进行匹配”(spike type)

“在 Y 工夫内少于 X 个事件时进行匹配”(flatline type)

“当某个字段与黑名单 / 白名单匹配时匹配”(blacklist 和 whitelist type)

“匹配与给定过滤器匹配的任何事件”(any type)

“当某个字段在一段时间内具备两个不同的值时进行匹配”(change type)

es_host: 10.13.10.43
es_port: 9200
use_ssl: False
name: Nginx.
use_strftine_index: true
index: logstash-nginx*
type: any
aggregation:
 seconds: 10
run_every:
  minutes: 1
buffer_time:
  minutes: 10
filter:
- query:
    query_string:
      query: "groups: nginx AND response: 404"
alert:
- "email"
email:
 - "7*@qq.net"
smtp_host: smtp.qq.com
smtp_port: 25
smtp_auth_file: /data/elastalert-0.1.37/smtp_auth_file.yaml
from_addr: dbj@qq.com
email_reply_to: dbj@qq.com
启动
python3 -m elastalert.elastalert --verbose --rule rules/nginx.yaml

后续还能够优化启动形式,和告警规定

rule


[root@elasticsearch-node1 rules]# pwd
/data/elastalert/rules
[root@elasticsearch-node1 rules]# grep -v "#" nginx.yaml 
es_host: 10.216.15.212
es_port: 9200
name: nginx rule
type: frequency
index: nginx_test*
num_events: 3
timeframe:
  minutes: 1
filter:
 - query:
    query_string:
      query: "message: 谬误  OR Error"
alert_text: "TTTTTTTtest"
alert:
 - "post"
http_post_url: "http://127.0.0.1:9000/elk_alarm"

json


{
    "agent": {
        "hostname": "elasticsearch-node1",
        "name": "elasticsearch-node1",
        "id": "f2e24232-1287-45ca-a59f-6a56cec2011c",
        "ephemeral_id": "3036c138-4c53-408e-8d4e-2e157885f470",
        "type": "filebeat",
        "version": "7.8.1"
    },
    "@timestamp": "2022-05-18T06:48:35.401Z",
    "ecs": {"version": "1.5.0"},
    "log": {
        "file": {"path": "/data/nginx/logs/error.log"},
        "offset": 42683
    },
    "host": {"name": "elasticsearch-node1"},
    "@version": "1",
    "fields": {"logtype": "test_174"},
    "message": "2022/05/18 14:48:30 [error] 21074#0: *267 open()'/data/nginx/html/xxxxxx'failed (2: No such file or directory), client: 10.26.5.20, server: ,request:'HEAD /xxxxxx HTTP/1.1',host:'10.26.5.22'","tags": ["_jsonparsefailure"],"_id":"RwXs1YABqWCT5PWn7_Zj","_index":"nginx_test-2022-05-18","_type":"_doc","num_hits": 10,"num_matches": 3
}

flask code

@alert_list.route('/elk_alarm_all', methods=['POST'])
# @alert_list.route('/elk_alarm/', methods=['POST', 'GET'])
def elk_alarm2():
    Time = time.strftime("%Y-%m-%d %H:%M:%S")
    data_json = json.loads(request.get_data(as_text=True))
    print("###json:", data_json, Time)
    messages = data_json['message']
    type_log = data_json['agent']['type']
    field = data_json['fields']['logtype']
    index_log = data_json['_index']
    topic_list = index_log.split('-')
    topic_name = topic_list[0]
    print("###messages:", messages, "filed:", field, "index:", index_log, type_log, topic_name)
    logstash_list = logstash.query.filter(logstash.logstash_name == topic_name).first()
    logstash_dic = logstash_list.single_to_dict()
    group_id = logstash_dic['group_id']
    group_users_dic = alert_def.elk_select_alarmgroup(group_id)
    temp_elk_dic = alert_def.elk_select_temp(topic_name)
    print("###group_user:", group_users_dic, "temp:", temp_elk_dic, type(temp_elk_dic))
    temp_elk_dic1 = eval(temp_elk_dic)
    group_users = group_users_dic['user_name']
    webhook_elk = group_users_dic['webhook']
    temp_elk = temp_elk_dic1['tmpl_firing']
    change_temp = temp_elk.replace('index_log17', index_log).replace('type_log17', type_log).replace('field17',
                                                                                                     field).replace('time17', Time).replace('messages17', messages)
    #group_user_list = group_users.split('|')
    print("###user:", group_users, "webhook:", webhook_elk, "temp:", change_temp)
    alert_def.send_elk_alert_high(temp=change_temp, wx_url=webhook_elk, group_str=group_users)## 日志发送音讯的本人写吧
    db.session.close()
    return str(data_json)



正文完
 0