搭建在原有的 ELK+nginx 上: 上传软件包,在三台虚拟机上完成。
# Python-3.6.2.tgz、v0.2.1_elasticalert.tar.gz安装python3 环境:
# yum install openssl openssl-devel gcc gcc-c++ # tar zxvf Python-3.6.2.tgz # cd Python-3.6.2 # ./configure --prefix=/usr/local/python3 --with-openssl # make && make install设置软链接:
# rm -rf /usr/bin/python # ln -s /usr/local/python3/bin/python3.6 /usr/bin/python # ln -s /usr/local/python3/bin/pip3.6 /usr/bin/pip修复yum命令:
# vi /usr/bin/yum 将python 修改为python2 # vi /usr/libexec/urlgrabber-ext-down 将python 修改为python2安装alert 插件:
# tar zxvf v0.2.1_elasticalert.tar.gz # mv elastalert-0.2.1/ /usr/local/elastalert安装依赖包:
# cd /usr/local/elastalert # pip install -r requirements.txt -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com # python setup.py install 会生成以下命令: -rwxr-xr-x. 1 root root 422 8月 19 03:13 elastalert-create-index -rwxr-xr-x. 1 root root 396 8月 19 03:13 elastalert -rwxr-xr-x. 1 root root 416 8月 19 03:13 elastalert-test-rule -rwxr-xr-x. 1 root root 430 8月 19 03:13 elastalert-rule-from-kibana创建软链接:
# ln -s /usr/local/python3/bin/elastalert* /usr/bin/设置elastalert 索引:
# elastalert-create-index Enter Elasticsearch host: 192.168.191.130 ## 设置es的主机ip Enter Elasticsearch port: 9200 ## 设置es监听端口号 Use SSL? t/f: f ## 是否启用ssl,(f表示不启用!!) 其余都直接回车即可!!设置 alert的主配置文件config.yaml:
# cd /usr/local/elastalert # mv config.yaml.example config.yaml配置详解:
rules_folder: example_rules # 用来放置 告警规则的 run_every: minutes: 1 #设置告警执行的频率(一分钟运行一次!!) buffer_time: minutes: 15 # 设置请求里时间字段的范围(举个例子:15:30-15.45分区间的log信息。) es_host: 192.168.191.130 # es 的主机信息 es_port: 9200 # es的端口信息 writeback_index: elastalert_status # 创建的index 名称 alert_time_limit: days: 2 # 失败重试的时间限制设置告警规则:
# cd /usr/local/elastalert/example_rules # cp example_frequency.yaml nginx_frequency.yaml 配置详解: es_host: 192.168.191.130 # es主机信息 es_port: 9200 # es监听的端口号 name: nginx frequency rule # 设置告警规则的名称 type: frequency # 设置告警规则的类型(频率) index: nginx_log* # 设置监听的index 名称 num_events: 5 # 设置在限定的时间内,触发的次数 timeframe: hours: 1 # 设置限定时间 filter: - regexp: message: ".*" #表示message 字段下,只要有内容,并且在1小时内触发了5次就告警!! alert: - "email" # 设置邮件告警 email: - "770432354@qq.com" # 设置接收告警的邮箱地址 smtp_host: smtp.qq.com # 设置smtp的地址 smtp_port: 25 #设置smtp监听端口号 smtp_auth_file: /usr/local/elastalert/email_auth.yaml # 设置smtp 验证信息 from_addr: 770432354@qq.com # 设置发送邮件的邮箱地址编辑配置文件:
# vi /usr/local/elastalert/email_auth.yaml user: "770432354@qq.com" password: "jponzubigyxxbiaj"验证邮件是否能正常发送:
# yum install mailx # vi /etc/mail.rc set from=770432354@qq.com set smtp=smtp.qq.com set smtp-auth-user=770432354@qq.com set smtp-auth-password=jponzubigyxxbiaj set smtp-auth=login=========================================================================== 发送测试邮件:
# echo "test" |mail -s "xx" 770432354@qq.com运行alert 服务:
# elastalert --config /usr/local/elastalert/config.yaml --rule /usr/local/elastalert/example_rules/nginx_frequency.yaml --verbosenginx 日志里状态码包含222的则触发告警:
filter: - term: status: "222"