728x90
반응형

개요

  • ELK에서 공식적으로 지원하는 Alerting 기능은 X-PACK을 구입하여야 사용 가능한 기능입니다.
  • Yelp에서 개발한 오픈소스 라이브러리로, ElasticSearch의 데이터 패턴에 대한 알림을 설정할 수 있다. 다양한 커스터마이징을 제공함

 

설치 방법

1. 파이썬과 필요한 패키지를 설치 합니다.

 

# 파이썬 설치
yum install python3
 
# pip 설치
yum install python-pip
 
# 위에 방법으로 설치가 안될 때 진행
1. curl -O https://bootstrap.pypa.io/get-pip.py
2, python3 get-pip.py --user
 
# ciff 설치 (1.11.5 이상 필요)
yum install pyhon-ciff*
 
# 파이썬 Develop 설치 파이썬과 같은 버전으로 설치 진행
yum install python-devel3*
 
# 관련 패키지 설치
pip install "setuptools>=11.3" python setup.py install
 
# ElastAlert 설치
pip install elastalert

 

2. 설치 기본 경로로 이동

cd /usr/local/lib/python3.6/site-packages/elastalert

 

3. ElastAlert 관련 Yaml 설정

  • config.yaml 과 rule.yaml을 설정 해야 합니다.

config.yaml 주요 옵션
rules_folder : config.yaml 파일의 경로 기준으로 rule 파일들이 위치한 폴더
run_every : 알람의 주기를 설정하는 옵션, python 문법으로 timedelta 옵션에 쓸수있는 값들을 넣으면된다. days, seconds, microseconds, milliseconds, minutes, hours, weeks
buffer_time : 일부 로그소스가 실시간이 아닌 경우 결과를 버퍼링할 최근기간
es_host : elasticsearch 호스트
es_port : elasticsearch 포트

writeback_index : 메타데이터 저장에 사용하는 index, 해당 인덱스는 사용자가 직접 만들어줘야 하는듯하다.
alert_time_limit : 알람 실패시 재시도할 주기

728x90
# config.yaml 
 
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: /usr/local/lib/python3.6/site-packages/elastalert/alertScript/
 
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
  minutes: 5
 
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
  minutes: 15
 
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: syf-es-0.cocone
 
# The Elasticsearch port
es_port: 9200
 
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
 
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
 
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
 
# Connect with TLS to Elasticsearch
#use_ssl: True
 
# Verify TLS certificates
#verify_certs: True
 
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
 
# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
 
# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key
 
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
 
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 1
 
# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
#logging:
#  version: 1
#  incremental: false
#  disable_existing_loggers: false
#  formatters:
#    logline:
#      format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
#
#    handlers:
#      console:
#        class: logging.StreamHandler
#        formatter: logline
#        level: DEBUG
#        stream: ext://sys.stderr
#
#      file:
#        class : logging.FileHandler
#        formatter: logline
#        level: DEBUG
#        filename: elastalert.log
#
#    loggers:
#      elastalert:
#        level: WARN
#        handlers: []
#        propagate: true
#
#      elasticsearch:
#        level: WARN
#        handlers: []
#        propagate: true
#
#      elasticsearch.trace:
#        level: WARN
#        handlers: []
#        propagate: true
#
#      '':  # root logger
#        level: WARN
#          handlers:
#            - console
#            - file
#        propagate: false

 

 

4. rule.yaml 설정

  • name : rule이름, 고유한 이름이므로 중복되어선 안된다.
  • type : 알람의 타입, 예제 파일 내용인 frequency 일때는 timeframe, num_events 옵션을 사용한다.
  • index : 해당 rule이 탐색할 elasticsearch의 인덱스
  • num_events : 정해진 time_frame 시간동안 일정 횟수이상 document 매치시 알람 발생.
  • timeframe : num_events 카운트를측정할 시간 단위
  • filter : 인덱스에서 매칭시킬 조건.
    • query_string : 루씬 쿼리 포맷을 사용하는 방식
    • filter: - query: query_string: query: "username: bob" - query: query_string: query: "_type: login_logs" - query: query_string: query: "field: value OR otherfield: othervalue" - query: query_string: query: "this: that AND these: those"
    • term : 지정한 필드에 매치할 값을 지정하는 방식
    • filter: - term: name_field: "bob" - term: _type: "login_logs"
    • terms : term과 같은 개념인데 매칭시킬 값을 여러개로 할수있다. (배열식)
    • filter: - terms: field: ["value1", "value2"] # value1 OR value2 - terms: fieldX: ["value1", "value2"] fieldY: ["something", "something_else"] fieldZ: ["foo", "bar", "baz"]
    • wildcard : * 문자를 사용하여 유사값을 매칭 시킬수있는 방식
    • filter: - query: wildcard: field: "foo*bar"
    • range : 숫자형식 필드에 대해 범위를 지정하는 방식
    • filter: - range: status_code: from: 500 to: 599
    • Negation, and, or : Elasticsearch 2.x 버전에서 사용되는 방식이었으나 5.x버전 이상부터는 작동되지 않고 query_string 방식을 사용한다.
# rule.yaml
 
 
# Alert when the rate of events exceeds a threshold
 
# (Optional)
# Elasticsearch host
es_host: test-es
 
# (Optional)
# Elasticsearch port
es_port: 9200
 
# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True
 
# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
 
# (Required)
# Rule name, must be unique
name: DigDag Alert Rule
 
# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency
 
# (Required)
# Index to search, wildcard supported
index: digdag*
 
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
 
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
#  hours: 1
  seconds: 10
 
alert_text_args: ["errMsg", "path"]
alert_text: "errMsg: {0}\n\n\npath: {1}"
alert_text_type: alert_text_only

# minutes : 0분으로 하면 놓치는 얼럿 없이 다 보냄 
realert:
  minutes: 0
  
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
    query_string:
      query: "*"
 
# (Required)
# The alert is use when a match is found
alert:
- "slack"
slack:
slack_webhook_url: "https://hooks.slack.com/services/T02BEABAP/test/asd123"
#slack_webhook_url: "https://hooks.slack.com/services/T02BEABAP/teast/asd123"
slack_username_override: "ErrAlert-Bot"
slack_channel_override: "notification"
#slack_channel_override: "testchannel1"
slack_emoji_override: ":stest:"
#slack_msg_color: "danger"

 

5. 모든 설정이 끝났다면 커맨드 실행

nohup elastalert --verbose --start NOW --config /usr/local/elastalert/alertScript/config.yaml --rule /usr/local/elastalert/alertScript/rule.yaml &
728x90
300x250

+ Recent posts