ELK Lesson 26:設定ElastAlert監控規則與E-Mail告警
創建一個ElastAlert的Mail Server的驗證設定檔
步驟1:在…建立一個名為smtp_auth.yml的檔案。
$ sudo vi /etc/elastalert/alert_channels/smtp_auth.yml
步驟2:將Mail Server的驗證資訊寫入檔案中。
user: "<email-address>"
password: "<password>"
創建第一個監控規則,並使用E-Mail發送告警
本範例將建立一個監控的規則,當發現Yum Log (詳情請參考ELK Lesson 17:Filebeat收Log)中出現Install安裝事件時,就發出E-Mail告警。
步驟1:建立一個監控規則設定檔案。
$ vi /etc/elastalert/monitor_rules/monitor_example.yaml
步驟2:該監控規則的內容如下:
# Alert when the rate of events exceeds a threshold
# (Required)
# Rule name, must be unique
# 給這個監控規則一個名字
name: Example frequency rule
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
# 設定這個監控規則的屬性
type: frequency
# (Required)
# Index to search, wildcard supported
# 設定要掃描的index
index: logstash-*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
# 出現幾個符合規則的就要告警
num_events: 1
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
# 每次掃描要往前多久
timeframe:
hours: 4
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
# 以KQL語法去index撈出符合條件的資訊
filter:
- query_string:
query: "message: Installed"
# (Required)
# The alert is use when a match is found
alert:
- "email"
smtp_auth_file: "/etc/elastalert/alert_channels/smtp_auth.yml"
smtp_host: "smtp server hostname or IP"
smtp_port: "25"
from_addr: "[email protected]"
# (required, email specific)
# a list of email addresses to send alerts to
email:
- "[email protected]"
步驟3:測試一下規則。
$ /usr/local/bin/elastalert-test-rule --config /etc/elastalert/config.yaml /etc/elastalert/monitor_rules/monitor_example.yaml
ElastAlert會列出很一長串的資訊,但會看到其中會顯示在符合規則的情況下有多少資訊符合KQL的條件,如下:
...
message: Aug 27 23:30:44 Installed: kernel-3.10.0-1160.36.2.el7.x86_64
num_hits: 54
num_matches: 54
...
從上,我們可以看到,共發現了54條Log符合我們要搜尋的規則,此時,可以同樣語法到Kibana的Discover功能去搜尋,也會同樣有54個hits,如下圖:
步驟3:啟動ElastAlert。
$ python -m elastalert.elastalert --verbose --config /etc/elastalert/config.yaml --rule /etc/elastalert/monitor_rules/monitor_example.yaml
更多監控規則類型可以參考ElastAlert官方網站。
~ END ~