elastalter邮件告警

一：简介

ElastAlert是一个简单的框架，用于通过Elasticsearch中的数据异常警告，峰值或其他感兴趣的模式。

监控类型

• “匹配Y时间内有X个事件的地方”（frequency类型）
• “事件发生率增加或减少时匹配”（spike类型）
• “在Y时间内少于X事件时匹配”（flatline类型）
• “当某个字段匹配黑名单/白名单时匹配”（blacklist和whitelist类型）
• “匹配任何匹配给定过滤器的事件”（any类型）
• “在一段时间内某个字段有两个不同的值时匹配”（change类型）

二：部署安装

由于Yelp官方提供有docker镜像，docker的便捷性，所以采用docker进行部署

githup官方库：https://github.com/Yelp/elastalert

docker image：bitsensor/elastalert:latest

安装方式：

下载相应的配置文件
git clone https://github.com/bitsensor/elastalert.git; cd elastalert
启动镜像
docker run -d -p 3030:3030 \
    -v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
    -v `pwd`/config/config.json:/opt/elastalert-server/config/config.json \
    -v `pwd`/rules:/opt/elastalert/rules \
    -v `pwd`/rule_templates:/opt/elastalert/rule_templates \
    --net="host" \
    --name elastalert bitsensor/elastalert:latest

三：配置方式

详细资料查看官方资料。

规则配置

# Rule name, must be unique
name: web request status

# Type of alert.
#type: spike
type: frequency

# num_events must occur within this amount of time to trigger an alert
# 在5m内，查到的数量多余20，曾触发报警
timeframe:
  minutes: 5
num_events: 20


# Index to search, wildcard supported
# 索引和时间filed
index: web-2018.06.26
timestamp_field: "@timestamp"

# 匹配规则
filter:
- query:
    term:
      status:
        value: 404

# 邮件标题 
alert_subject: "Surge in attacks on {}"
alert_subject_args:
  - http_host

# 邮件内容
alert_text_type: alert_text_only
alert_text: "Surge in attacks on {}"
alert_text_args:
  - host

# The alert is use when a match is found
alert:
  - "email"
email:
  - "[email protected]"

四：查看数据

1.elastalter会生成一个elastalter_status索引，里面会记录rule匹配的详细信息

{
  "_index": "elastalert_status",
  "_type": "elastalert",
  "_id": "AWQ7I3EmVEbrE4vFoghn",
  "_version": 1,
  "_score": null,
  "_source": {
    "alert_info": {
      "type": "email",
      "recipients": [
        "[email protected]"
      ]
    },
    "@timestamp": "2018-06-26T08:08:55.846839Z",
    "alert_sent": true,
    "match_body": {
      "@timestamp": "2018-06-26T08:04:51Z",
      "agent": "ulucuC2/3.4.1 (iPhone; iOS 9.3.2; Scale/3.00)",
      "upstreamhost": "127.0.0.1:9000",
      "clientip": "114.84.159.101",
      "size": 595,
      "request_body": "-",
      "request_method": "GET",
      "responsetime": 0.02,
      "type": "web",
      "status": "404",
      "_type": "web",
      "tags": [
        "nginx"
      ],
      # 匹配到了116条
      "num_hits": 116,
      "upstreamtime": "0.020",
      "host": "10.105.44.249",
      "http_host": "website.huidian.api.ulucu.com",
      "proxy_add_x_forwarded_for": "114.84.159.101, 114.84.159.101",
      "num_matches": 5,
      "_index": "web-2018.06.26",
      "url": "/index.php/device/get_device_pic",
      "query_string": "av=1&platform=ios&store_id=22632&token=F69A6020A9C858D91072EF631DAD698F66F3C89D99450699BA9D4A7667E8AA",
      "referer": "-",
      "_id": "AWQ7H7hnVEbrE4vFobUE",
      "@version": "1"
    },
    "rule_name": "web request status",
    "match_time": "2018-06-26T08:04:51Z",
    "alert_time": "2018-06-26T08:08:55.471461Z"
  },
  "fields": {
    "alert_time": [
      1530000535471
    ],
    "match_time": [
      1530000291000
    ],
    "@timestamp": [
      1530000535846
    ]
  },
  "sort": [
    1530000535846
  ]
}