es+filebeat+elastalert2实现异常邮件提醒
以下安装都使用docker-compose,docker及K8s安装原理一样
ES安装:
es:
container_name: es
image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
ports:
- "9200:9200"
environment:
- node.name=es
- http.host=0.0.0.0
- transport.host=127.0.0.1
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- bootstrap.memory_lock=true
- discovery.type=single-node
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=false
- xpack.security.transport.ssl.enabled=false
- ELASTIC_PASSWORD="123456"
Filebeat安装:
filebeat:
image: docker.elastic.co/beats/filebeat:7.2.0
container_name: filebeat
restart: always
privileged: true
user: root
environment:
- setup.kibana.host=kibana:5601
- output.elasticsearch.hosts=["es:9200"]
volumes:
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- ./efk/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
- /var/run/docker.sock:/var/run/docker.sock:ro
links: ['es']
depends_on: ['es']
elastalert2安装:
elastalert:
image: brucexhe/elastalert2
container_name: elastalert
environment:
- ELASTICSEARCH_HOST=es
- ELASTICSEARCH_PORT=9200
- TZ=Asia/Shanghai
- ELASTICSEARCH_USER="elastic"
- ELASTICSEARCH_PASSWORD="123456"
volumes:
- ./efk/elastalert2/config.yaml:/opt/elastalert/config.yaml
- ./efk/elastalert2/email_auth.yaml:/opt/elastalert/email_auth.yaml
- ./efk/elastalert2/rules:/opt/elastalert/rules
- ./efk/elastalert2/elastalert_modules:/opt/elastalert/elastalert_modules
附配置文件:
config.yaml
rules_folder: /opt/elastalert/rules run_every: minutes: 1 buffer_time: minutes: 1 es_host: es es_port: 9200 es_username: 'elastic' es_password: '123456' writeback_index: elastalert_status alert_time_limit: days: 2
mail_rule.yaml
# From examples/rules/example_frequency.yaml
es_host: es
es_port: 9200
use_ssl: false
verify_certs: false
name: MailAlertRule2
type: frequency
index: filebeat-*
num_events: 1
timeframe:
minutes: 1
filter:
- query:
query_string:
default_field: "message"
query: "ERROR"
#逻辑组合
# - bool:
# #必须存在
# must:
# - match:
# message: "ERROR"
#必须不存在,即过滤掉的
#must_not:
# - match:
# stackTrace: "org.apache.catalina.connector.ClientAbortException: java.io.IOException: Broken pipe"
# - match:
# message: "[SUCCESS]"
smtp_host: smtp.163.com
smtp_port: 465
smtp_ssl: true
#SMTP auth
#smtp_auth_file: /opt/elastalert/data/smtp_auth_file.yaml
smtp_auth_file: "/opt/elastalert/email_auth.yaml"
email_reply_to: sender@163.com
from_addr: sender@163.com
alert:
- "email"
email:
- "revieve_user@qq.com"
include: ["message"]
#alert:
#- "command"
#pipe_match_json: true #把参数以json文件流的形式传入,python中以 sys.stdin.read()接受
#command: ["/opt/elastalert/data/1.sh", "--agent", "%(agent)s"]
auth_mail.yaml
user: 'sender@163.com' password: '授权码'
最终效果:
附2:
报警日志
附3:
kibana索引
============ 欢迎各位老板打赏~ ===========
与本文相关的文章
- · confluence 6.13升级到confluence 7.19
- · 利用k8s ingress访问非POD服务
- · Docker 快速部署 FastAPI 项目
- · docker安装 Confluence9
- · 单台服务器应用不中断服务热部署滚动更新方案
- · docker安装code-server
- · Docker 镜像加速列表(20250216已更新)
- · 解决docker push 到私有registry时,报unknown blob错
- · Filebeat + ZincSearch 轻量级日志
- · Amazon Linux 2023 安装Docker和Docker Compose
- · 修改Docker的默认网段
- · docker定时任务Mysql脚本
