微信报警 启动容器 1 docker run -d -e"ELASTICSEARCH_HOST=192.168.2.101" -e"ELASTICSEARCH_PORT=30080INER_TIMEZONE=Asia/Shanghai" -e"TZ=Asia/Shanghai" --name ea anjia0532/elastalert-docker:v0.2.4
进入容器 1 2 docekr exec -it ea sh cd rules
配置报警规则 配置规则文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 # vi app.yaml name: test type: frequency index: logstash-* num_events: 1 timeframe: minutes: 1 filter: - query: query_string: query: '"\[ERROR\]" NOT "发送邮件失败"' alert: - "elastalert_modules.wechat_qiye_alert.WeChatAlerter" wechat_corp_id: ww9b9c823d77fe3 wechat_secret: fHI8_cNIrTiSfrN7DRfvW-G1mcVCDEOTpRzBcEA wechat_agent_id: 1002 wechat_party_id: 1 alert_text_type: alert_text_only alert_text: | 日志告警! 截止发邮件前匹配到的请求数:{} 截止发邮件前匹配到的次数:{} 时间: {} 内容: {} alert_text_args: - num_hits - num_matches - "@timestamp" - message
index:要查询的索引的名称, ES中存在的索引。num_events:此参数特定于frequency类型,并且是触发警报时的阈值。filter:用于过滤结果的Elasticsearch过滤器列表,这里的规则定义是除了包含“发送邮件失败”的错误日志,其他所有ERROR的日志都会触发报警。alert:定义报警方式,我们这里采用企业微信报警。corp_id: 企业微信的接口认证信息
集成到pod中 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 apiVersion: apps/v1 kind: Deployment metadata: name: elastalert namespace: monitoring labels: app: elastalert spec: selector: matchLabels: app: elastalert template: metadata: labels: app: elastalert spec: volumes: - name: rule hostPath: path: /data/k8s/monitor/elastalert/applog.yaml hostNetwork: true containers: - name: elastalert image: anjia0532/elastalert-docker:v0.2.4 imagePullPolicy: IfNotPresent volumeMounts: - name: rule mountPath: /opt/elastalert/rules/applog.yaml env: - name: TZ value: Asia/Shanghai - name: CONTAINER_TIMEZONE value: Asia/Shanghai - name: ELASTICSEARCH_HOST value: '192.168.2.101' - name: ELASTICSEARCH_PORT value: '30080'
程序bug rules.yaml的name值唯一的 如果程序重新加载了rules name值发生变化会报错 无法进行告警
