大数跨境
首页
>
ES消息告警_elastalert2部署
>
0
0

ES消息告警_elastalert2部署

ES消息告警_elastalert2部署 开发运维devops
2025-09-30
1
导读:ES消息告警_elastalert2部署,教程不易,感觉有帮助的点个关注谢谢。


#安装相关依赖 需要安装python12以上版本apt install build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev wget libbz2-dev git -ymkdir /applicationtar xf Python-3.13.7.tgzcd Python-3.13.7./configure --prefix=/application/Python-3.13.7make all -j 2make installln -s /application/Python-3.13.7 /application/pythonln -s /application/python/bin/python3.13 /usr/bin/python3.13ln -s /application/python/bin/pip3.13 /usr/bin/pip3.13
#创建虚拟环境cd /softpython3.13 -m venv elastalert-venvsource elastalert-venv/bin/activate
#安装elastalert2git clone https://github.com/jertel/elastalert2.gitcd elastalert2python3.13 -m pip install --upgrade pip setuptools wheel -i https://pypi.tuna.tsinghua.edu.cn/simplepip3.13 install -i https://pypi.tuna.tsinghua.edu.cn/simple -r requirements.txt
#程序安装python3.13 -m pip install . -i https://pypi.tuna.tsinghua.edu.cn/simple
#配置规则mkdir -p /etc/elastalert/rulesvi /etc/elastalert/config.yaml
# Elasticsearch 连接es_host: 192.168.10.219       # ES 地址es_port: 9200use_ssl: false           # 如果 ES 是 https,就改 trueverify_certs: true
# 如果需要用户名和密码es_username: "elastic"es_password: "123456"
# ElastAlert 自己存运行状态的索引writeback_index: elastalert
# 查询频率(每 1 分钟跑一次规则)run_every:  minutes: 1
# 每次查询的时间窗口(15 分钟)buffer_time:  minutes: 15
# 时区(可选)timezone: Asia/Shanghai
# 规则目录rules_folder: /etc/elastalert/rules
#配置规则vi /etc/elastalert/rules/nginx.yamlname: "Nginx 404 频率告警"type"frequency"index: "nginx-*"is_enabled: truenum_events: 50        # 15分钟内出现50次告警timeframe:  minutes: 15realert:  minutes: 5          # 5分钟内忽略重复告警timestamp_field: "@timestamp"timestamp_type: "iso"use_strftime_index: falsealert_text_type: alert_text_only# 按 IP 聚合query_key: "client_ip"aggregate_by_key: true  # 每个IP单独统计匹配次数# 告警模板alert_text: |  🚨 Nginx 404 频繁告警  时间: {0}  客户端IP: {1}  15钟内累计触发次数: {2}  日志索引: {3}  日志信息: {4}# 告警模板参数alert_text_args:  - "@timestamp"    # 时间  - "client_ip"     # IP 地址字段(根据你的日志修改,如 remote_addr)  - num_hits        # 匹配次数  - index           # 索引名  - message         # 日志原文filter:  - term:      status: "404"
# 告警方式alert:  - "dingtalk"dingtalk_access_token: "token后面的那段"dingtalk_msgtype: "text"
#运行测试规则elastalert-test-rule --config /etc/elastalert/config.yaml /etc/elastalert/rules/nginx.yaml
#启动测试/soft/elastalert-venv/bin/elastalert --config /etc/elastalert/config.yaml --verbose
#systemd启动vi /etc/systemd/system/elastalert.service[Unit]Description=ElastAlert ServiceAfter=network.target elasticsearch.serviceWants=elasticsearch.service[Service]Type=simpleUser=rootGroup=rootWorkingDirectory=/soft/elastalert2Environment="PATH=/soft/elastalert-venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"ExecStart=/soft/elastalert-venv/bin/elastalert --config /etc/elastalert/config.yaml --verboseRestart=alwaysRestartSec=10StandardOutput=append:/var/log/elastalert.logStandardError=append:/var/log/elastalert.log[Install]WantedBy=multi-user.target
# 重新加载 systemd 配置systemctl daemon-reload
# 启用开机自启systemctl enable elastalert.service
# 启动服务systemctl start elastalert.service
# 查看状态systemctl status elastalert.service

【声明】内容源于网络
0
0
开发运维devops
10+老运维,devops相关文档精华。
内容 96
粉丝 0
开发运维devops 10+老运维,devops相关文档精华。
总阅读166
粉丝0
内容96