一:简介
ElastAlert是一个简单的框架,用于通过Elasticsearch中的数据异常警告,峰值或其他感兴趣的模式。
监控类型
- “匹配Y时间内有X个事件的地方”(frequency类型)
- “事件发生率增加或减少时匹配”(spike类型)
- “在Y时间内少于X事件时匹配”(flatline类型)
- “当某个字段匹配黑名单/白名单时匹配”(blacklist和whitelist类型)
- “匹配任何匹配给定过滤器的事件”(any类型)
- “在一段时间内某个字段有两个不同的值时匹配”(change类型)
二:部署安装
由于Yelp官方提供有docker镜像,docker的便捷性,所以采用docker进行部署
githup官方库:https://github.com/Yelp/elastalert
docker image:bitsensor/elastalert:latest
安装方式:
下载相应的配置文件
git clone https://github.com/bitsensor/elastalert.git; cd elastalert
启动镜像
docker run -d -p 3030:3030 \
-v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
-v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
-v `pwd`/rules:/opt/elastalert/rules \
-v `pwd`/rule_templates:/opt/elastalert/rule_templates \
--net="host" \
--name elastalert bitsensor/elastalert:latest
三:配置方式
详细资料查看官方资料。
规则配置
# Rule name, must be unique
name: web request status
# Type of alert.
#type: spike
type: frequency
# num_events must occur within this amount of time to trigger an alert
# 在5m内,查到的数量多余20,曾触发报警
timeframe:
minutes: 5
num_events: 20
# Index to search, wildcard supported
# 索引和时间filed
index: web-2018.06.26
timestamp_field: "@timestamp"
# 匹配规则
filter:
- query:
term:
status:
value: 404
# 邮件标题
alert_subject: "Surge in attacks on {}"
alert_subject_args:
- http_host
# 邮件内容
alert_text_type: alert_text_only
alert_text: "Surge in attacks on {}"
alert_text_args:
- host
# The alert is use when a match is found
alert:
- "email"
email:
- "[email protected]"
四:查看数据
1.elastalter会生成一个elastalter_status索引,里面会记录rule匹配的详细信息
{
"_index": "elastalert_status",
"_type": "elastalert",
"_id": "AWQ7I3EmVEbrE4vFoghn",
"_version": 1,
"_score": null,
"_source": {
"alert_info": {
"type": "email",
"recipients": [
"[email protected]"
]
},
"@timestamp": "2018-06-26T08:08:55.846839Z",
"alert_sent": true,
"match_body": {
"@timestamp": "2018-06-26T08:04:51Z",
"agent": "ulucuC2/3.4.1 (iPhone; iOS 9.3.2; Scale/3.00)",
"upstreamhost": "127.0.0.1:9000",
"clientip": "114.84.159.101",
"size": 595,
"request_body": "-",
"request_method": "GET",
"responsetime": 0.02,
"type": "web",
"status": "404",
"_type": "web",
"tags": [
"nginx"
],
# 匹配到了116条
"num_hits": 116,
"upstreamtime": "0.020",
"host": "10.105.44.249",
"http_host": "website.huidian.api.ulucu.com",
"proxy_add_x_forwarded_for": "114.84.159.101, 114.84.159.101",
"num_matches": 5,
"_index": "web-2018.06.26",
"url": "/index.php/device/get_device_pic",
"query_string": "av=1&platform=ios&store_id=22632&token=F69A6020A9C858D91072EF631DAD698F66F3C89D99450699BA9D4A7667E8AA",
"referer": "-",
"_id": "AWQ7H7hnVEbrE4vFobUE",
"@version": "1"
},
"rule_name": "web request status",
"match_time": "2018-06-26T08:04:51Z",
"alert_time": "2018-06-26T08:08:55.471461Z"
},
"fields": {
"alert_time": [
1530000535471
],
"match_time": [
1530000291000
],
"@timestamp": [
1530000535846
]
},
"sort": [
1530000535846
]
}