k8s kubesphere 部署elastalert
是无状态的, 因为不要存储批量文件,可以用configmap
1- 镜像
docker pull anjia0532/elastalert-docker:v0.2.4
端口随便一个就可以 80
2- 设置环境变量
environment:
- ELASTICSEARCH_HOST=192.168.103.78
- ELASTICSEARCH_PORT=9200
- TZ=Asia/Shanghai
- ELASTICSEARCH_USER="elastic"
- ELASTICSEARCH_PASSWORD="123456"
2-
3- configmap
/opt/elastalert/elastalert_modules/dingtalk_alert.py
/opt/elastalert/rules/ks-log.yaml
实际内容:
ks-log.yaml
es_host: 10.0.0.208
es_port: 9200
name: ks-log #告警模板名
realert: #2分钟内不重复告警
minutes: 2
type: frequency
index: ks-logstash* #要查询的索引的名称, ES中存在的索引
num_events: 1 #此参数特定于frequency类型,而且是触发警报时的阈值,周期内出现5次
timeframe: #监控周期为1分钟
minutes: 5
#- query_string:
# query: "http_status: (304|400|404|500|501)"
filter:
- term:
log: "error"
alert:
- "debug"
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"
dingtalk_webhook: "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=8b47af31-e289-47e5-88eb-8923e01738fd"
dingtalk_msgtype: "text"
alert_text_type: alert_text_only
alert_text: |
【测试环境】
发生了 {} 次告警
告警模块: {}
告警ip: {}
详细日志: {}
测试字段1: {}
测试字段2: {}
alert_text_args:
- num_hits
- type
- remote_addr
- log
- kubernetes.container_name
- kubernetes.namespace_name
这里白眉大叔本想自定义一个 企业微信的webhook,发现 接口跟 钉钉的一样,所以就拿钉钉的做测试了。
dingtalk_alert.py
#! /usr/bin/env python
# -*- coding: utf-8 -*-
"""
@author: xuyaoqiang
@contact: xuyaoqiang@gmail.com
@date: 2017-09-14 17:35
@version: 0.0.0
@license:
@copyright:
"""
import json
import requests
from elastalert.alerts import Alerter, DateTimeEncoder
from requests.exceptions import RequestException
from elastalert.util import EAException
class DingTalkAlerter(Alerter):
required_options = frozenset(['dingtalk_webhook', 'dingtalk_msgtype'])
def __init__(self, rule):
super(DingTalkAlerter, self).__init__(rule)
self.dingtalk_webhook_url = self.rule['dingtalk_webhook']
self.dingtalk_msgtype = self.rule.get('dingtalk_msgtype', 'text')
self.dingtalk_isAtAll = self.rule.get('dingtalk_isAtAll', False)
self.digtalk_title = self.rule.get('dingtalk_title', '')
def format_body(self, body):
return body.encode('utf8')
def alert(self, matches):
headers = {
"Content-Type": "application/json",
"Accept": "application/json;charset=utf-8"
}
body = self.create_alert_body(matches)
payload = {
"msgtype": self.dingtalk_msgtype,
"text": {
"content": body
},
"at": {
"isAtAll":False
}
}
try:
response = requests.post(self.dingtalk_webhook_url,
data=json.dumps(payload, cls=DateTimeEncoder),
headers=headers)
response.raise_for_status()
except RequestException as e:
raise EAException("Error request to Dingtalk: {0}".format(str(e)))
def get_info(self):
return {
"type": "dingtalk",
"dingtalk_webhook": self.dingtalk_webhook_url
}
pass
测试:
进入终端:
elastalert --verbose --rule ./rules/ks-log.yaml
这时候会在 群里收到通知
{#more-15892}
docker -compos
ersion: '2.2'
services:
elastalert:
image: anjia0532/elastalert-docker
container_name: elastalert
environment:
- ELASTICSEARCH_HOST=192.168.103.78
- ELASTICSEARCH_PORT=9200
- TZ=Asia/Shanghai
- ELASTICSEARCH_USER="elastic"
- ELASTICSEARCH_PASSWORD="123456"
volumes:
- /data/elastalert/rules:/opt/elastalert/rules
-/data/elastalert/elastalert_modules:/opt/elastalert/elastalert_modules
ks-log.yaml
dingtalk_alert.py
elastalert --verbose --rule ./rules/ks-log.yaml