• 搞了两天,终于可以报警了

mark

elastalert配置

config.yaml

rules_folder: example_rules

run_every:
  #minutes: 1
  seconds: 3

buffer_time:
  minutes: 15

es_host: 192.168.0.231
es_port: 9200

writeback_index: elastalert_status

alert_time_limit:
  days: 2

rule.yaml

es_host: 192.168.0.231
es_port: 9200
name: For A TEST
use_strftine_index: true
type: frequency
index: filebeat-*
num_events: 1
timeframe:
  hours: 1

#filter:
#    - query:
#        query_string:
#            query: "@message: *nioEventLoopGroup*"

filter:
- query_string: 
    query: "message: 测试一下下"

alert:
    - "email"
email:
    - "xxx"

smtp_host: smtp.vip.126.com
from_addr: myalter@vip.126.com
email_reply_to: myalter@vip.126.com
smtp_auth_file: /opt/machtalk/elk/aaa/example_rules/auth
  • auth
    user: 
    password:
    

运行命令

python -m elastalert.elastalert --verbose --rule example_rules/rule.yaml

总结:

这样就可以报警了,但是有两点需要注意:

  1. query的语句是我从issue里面找到的,这样才好使,官网上面的关于query的不好使。 ```

elastalert (support_es5分支) + elasticsearch 5.1

filter:

- query_string: 
    query: "message: 测试一下下"

https://github.com/Yelp/elastalert/issues/856 ```

  1. 报警采用邮箱的配置,从官网找了些资料,拼拼凑凑也就可以了
  2. 还是要说一下第一个里面的message,“测试一下下”没有加引号,稍后相关的,比如分词 带有 测试的也都发出来了。
Copyright © opschina.org 2017 with zzlyzq@gmail.com all right reserved,powered by Gitbook该文件修订时间: 2017-07-11 11:32:48

results matching ""

    No results matching ""