ElastAlert钉钉告警

使用钉钉告警

[root@prod-es-2 elastalert-0.2.4]#  wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip
[root@prod-es-2 elastalert-0.2.4]# unzip master.zip
Archive:  master.zip
c102ae8b20244f058204dbee5ff7cadc740f1375
   creating: elastalert-dingtalk-plugin-master/
  inflating: elastalert-dingtalk-plugin-master/.gitignore  
  inflating: elastalert-dingtalk-plugin-master/README.md  
  inflating: elastalert-dingtalk-plugin-master/config.yaml  
   creating: elastalert-dingtalk-plugin-master/elastalert_modules/
 extracting: elastalert-dingtalk-plugin-master/elastalert_modules/__init__.py  
  inflating: elastalert-dingtalk-plugin-master/elastalert_modules/dingtalk_alert.py  
  inflating: elastalert-dingtalk-plugin-master/requirements.txt  
   creating: elastalert-dingtalk-plugin-master/rules/
  inflating: elastalert-dingtalk-plugin-master/rules/api_error.yaml  
  inflating: elastalert-dingtalk-plugin-master/rules/avg_request_time.yaml  
[root@prod-es-2 elastalert-0.2.4]# cd elastalert-dingtalk-plugin-master
[root@prod-es-2 elastalert-dingtalk-plugin-master]# ll
total 12
-rw-r--r-- 1 root root 1762 Sep 15  2017 config.yaml
drwxr-xr-x 2 root root   50 Sep 15  2017 elastalert_modules
-rw-r--r-- 1 root root  688 Sep 15  2017 README.md
-rw-r--r-- 1 root root   92 Sep 15  2017 requirements.txt
drwxr-xr-x 2 root root   57 Sep 15  2017 rules

[root@prod-es-2 elastalert-dingtalk-plugin-master]# vim config.yaml 
rules_folder: rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: 10.0.3.174
es_port: 9200
es_username: elastic
es_password: root2758!@@
writeback_index: elastalert_status
alert_time_limit:
  days: 2

[root@prod-es-2 elastalert-dingtalk-plugin-master]# pwd
/data/elastalert-0.2.4/elastalert-dingtalk-plugin-master
[root@prod-es-2 elastalert-dingtalk-plugin-master]# elastalert-create-index
Elastic Version: 7.17.5
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created
Done!

• elastalert-create-index会创建一个索引，ElastAlert 会把执行记录存放到这个索引中，默认情况下，索引名叫 elastalert_status。其中有4个_type，都有自己的@timestamp 字段，所以同样也可以用kibana来查看这个索引的日志记录情况。
• elastalert-rule-from-kibana从Kibana3已保存的仪表盘中读取Filtering 设置，帮助生成config.yaml里的配置。不过注意，它只会读取 filtering，不包括queries。
• elastalert-test-rule测试自定义配置中的rule设置。

执行elastalert-create-index命令在ES创建索引，这不是必须的步骤，但是强烈建议创建。因为对于审计和测试很有用，并且重启ES不影响计数和发送alert

[root@prod-es-2 elastalert]# scp -r /data/elastalert-0.2.4/elastalert-dingtalk-plugin-master/elastalert_modules /data/elastalert-0.2.4/
[root@prod-es-2 elastalert]# scp -r /data/elastalert-0.2.4/elastalert-dingtalk-plugin-master/config.yaml /data/elastalert-0.2.4/
[root@prod-es-2 elastalert]# scp -r /data/elastalert-0.2.4/elastalert-dingtalk-plugin-master/rules /data/elastalert-0.2.4/

[root@prod-es-2 rules]# pwd
/data/elastalert-0.2.4/rules
[root@prod-es-2 rules]# cat api_error.yaml 
name: logstash-logan错误信息
type: frequency
index: logstash-logan-*
num_events: 5
timeframe:
    minutes: 1
filter:
- query:
    query_string:
      query: "200"
    query_string:
      query: "error"
    
#只需要的字段 https://elastalert.readthedocs.io/en/latest/ruletypes.html#include
include: ["method", "url_path", "url_args", "status", "request_time","host","request","upstream","num_hits","message"]
alert:
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"

dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=93fa4a279ef8acae84a2526ef806c9391b3282c2e3f735229de30d77de61c7cd"
dingtalk_msgtype: "text"

[root@prod-es-2 elastalert-0.2.4]# python -m elastalert.elastalert --verbose --config /data/elastalert-0.2.4/config.yaml --rule /data/elastalert-0.2.4/rules/api_error.yaml