前篇文章简单介绍了Docker 部署ELK,以及使用filebeat收集java日志。这篇我们介绍下日志报警配置,这里我们使用Sentinl插件。
1、修改kibana参数
进入elk容器,修改对应参数
[root@centos-mq ~]# docker exec -it elk /bin/bash
root@70f05fc990bd:/# vim /opt/kibana/config/kibana.yml
sentinl:
settings:
email:
active: true
#ssl: true ## 云服务器时打开这注释,因为云服务器会禁用25端口
#port:465
user: *****@163.com ## 发件人
password: **** ## 授权码(不是密码)
host: smtp.163.com
report:
active: false
2、安装Sentinl插件
Sentinl版本要选择与kibana版本一致,否则会安装失败
root@70f05fc990bd:/# /opt/kibana/bin/kibana-plugin install https://github.com/sirensolutions/sentinl/releases/download/tag-6.6.0-0/sentinl-v6.6.0.zip Attempting to transfer from https://github.com/sirensolutions/sentinl/releases/download/tag-6.6.0-0/sentinl-v6.6.0.zip Transferring 134770542 bytes.................... Transfer complete Retrieving metadata from plugin archive Extracting plugin archive Extraction complete Optimizing and caching browser bundles... Plugin installation complete
root@70f05fc990bd:~# /etc/init.d/kibana restart
安装重启完,浏览器访问kibana界面,即可看到Sentinl插件菜单
3、配置报警
Sentinl >> New >> Watcher Advanced
点击保存,会创建一个报警模板,修改模板内容如下:
{ "actions": { "email_html_alarm_a784d6ef-cf2d-40e2-b132-d5ad6dbec78d": { "name": "one平台日志异常报警", "throttle_period": "1m", "email_html": { "to": "****@vanje.com.cn", ## 接收邮箱 "from": "****@163.com", ## 发送邮箱 "stateless": false, "subject": "one业务服务生产环境日志告警", "priority": "high", "html": "{{payload.hits.hits.0._source.message}}" ## 邮件内容 } } }, "input": { "search": { "request": { "index": [ "one-him*" ], "body": { "query": { "bool": { "must": [ { "query_string": { "analyze_wildcard": true, "query": ""获取待办"" ## 报警触发条件 } } ], "filter": [ { "range": { "@timestamp": { "gte": "now-2m", ## 相对于当前时间 "lt": "now" } } } ] } } } } } }, "condition": { "script": { "script": "payload.hits.total >= 1" ## 一次达到触发条件就报警 } }, "trigger": { "schedule": { "later": "every 2 minutes" ## 每2分钟读取一次 } }, "disable": true, "report": false, "title": "one-him账单异常", "save_payload": false, "spy": false, "impersonate": false }
配置完成后,等待设置对应的时间,是要触发设置的报警机制,会看到报警日志发送至设定的邮箱
