1.官方http://elastalert.readthedocs.io/en/latest/
2.报警规则示例
http://elastalert.readthedocs.io/en/latest/elastalert.html#rule-types
admin_asdsa.yaml: |
name: admin_asdsa
type: frequency
owner: admin
description: "2018-06-13 17:54:55"
index: logstash-*
num_events: 1
is_enabled: false
timeframe:
minutes: 60
filter:
- query:
query_string:
query: 'kubernetes.labels.name: test'
- query:
query_string:
query: 'kubernetes.namespace_name: admin'
- query:
wildcard:
log: '*Listening*'
regex: '*Listening*'
alert:
- email
smtp_host: smtp.exmail.qq.com
smtp_port: 465
smtp_ssl: true
from_addr: tester@tenxcloud.com
smtp_auth_file: /opt/config/email_config.yaml
email:
- gaoyawei@xxxx.com
alert_subject: '[xxx]告警提醒'
alert_text_type: alert_text_only
alert_text: "亲爱的++用户:
根据您在【管理与日志】- [告警设置] 设置的 {} 策略,您的服务 {} 日志告警已触发,日志正则
{} 已出现 {} 次!
以上问题请请尽快处理,谢谢!"
alert_text_args:
- name
- kubernetes.labels.name
- regex
- num_hits
3.配置文件
http://elastalert.readthedocs.io/en/latest/elastalert.html#configuration
elastalert_config: |-
---
rules_folder: /opt/rules
scan_subdirectories: false
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: elasticsearch-logging
es_port: 9200
writeback_index: elastalert_status
use_ssl: false
alert_time_limit:
days: 2
email_config: |-
---
user: tester@xxx.com
password: xxxx
4.具体规则类型,以及告警的方式查看官方文档