ELK Lesson 25:ElastAlert基本設定
設定ElastAlert
步驟1:在/etc下創建一個名為elastalert的資料夾,作為ElastAlert放置設定檔與告警規則的地方。
$ sudo mkdir /etc/elastalert在這個資料夾下我們分別再創建其他不同用途的資料夾,如下:
$ sudo mkdir /etc/elastalert/monitor_rules
$ sudo mkdir /etc/elastalert/alert_channels
$ sudo mkdir /etc/elastalert/certs| 目錄 | 用途 |
| /etc/elastalert/monitor_rules | 放置監控規則 |
| /etc/elastalert/alert_channels | 放置告警方式設定檔 |
| /etc/elastalert/certs | 放置Elasticsearch憑證 |
注意:請將憑證ca.crt檔案複製至/etc/elastalert/certs。
步驟2:建立一個名為config.yaml的檔案作為ElastAlert的設定檔。
$ sudo vi /etc/elastalert/config.yaml不過,因為設定檔的細節非常之多,建議可以直接下載官方放在GitHub上的範例,只要照著本文修改參數即可,比較不會錯。
$ wget https://raw.githubusercontent.com/Yelp/elastalert/1dc4f30f30d39a689f419ce19c7e2e4d67a50be3/config.yaml.example /etc/elastalert
$ mv config.yaml.example config.yaml步驟3:設定檔的主要內容如下:
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
# 指定讀取/etc/elastalert/monitor_rules資料夾內的告警規則
rules_folder: /etc/elastalert/monitor_rules
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
# 指定1分鐘就掃一次告警規則
run_every:
minutes: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 15
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
# 指定Elasticsearch任一個節點,僅能指定一個節點,若要多個節點需配合SLB
es_host: elasticsearch.example.com
# The Elasticsearch port
es_port: 9200
# Connect with TLS to Elasticsearch
# 透過SSL連結Elasticsearch
use_ssl: True
# Verify TLS certificates
# 要認證SSL憑證
verify_certs: True
# Option basic-auth username and password for Elasticsearch
# 提供Elasticsearch帳號與密碼,注意,只能使用明碼,無法使用Keystore
es_username: someusername
es_password: somepassword
# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
# 設定要認證憑證
verify_certs: True
# 指定Elasticsearch憑證
ca_certs: /etc/elastalert/certs/ca.crt
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
# 同一個告警最長要告警幾天
alert_time_limit:
days: 2步驟4:建立ElastAlert所需要使用的Index。
$ /usr/local/bin/elastalert-create-index --config /etc/elastalert/config.yaml
Elastic Version: 7.10.2
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created
Done!到此,已經完成ElastAlert的安裝與設定了,現在只差告警方式與監控規則即可實現監控告警的功能,下一篇我們繼續!
~ END ~
