Elasticsearch\u4e2d\u6709\u4e00\u79cd\u57fa\u4e8e\u8f93\u5165\u6570\u636e\u53d1\u9001\u8b66\u62a5\u7684\u673a\u5236\uff0c\u5373elastalert\u3002
\nhttps:\/\/elastalert.readthedocs.io\/en\/latest\/index.html<\/p>\n
\u867d\u7136\u4e0d\u662fElasticsearch\u9ed8\u8ba4\u7684\u516c\u5f0f\u529f\u80fd\uff0c\u4f46\u7531\u4e8e\u5e7f\u6cdb\u4f7f\u7528\uff0c\u6211\u60f3\u8bd5\u8bd5\u770b\u3002
\n\u53e6\u5916\uff0c\u8fd9\u6b21\u662f\u901a\u8fc7Kibana\u63d2\u4ef6\u6267\u884c\u7684\u3002<\/p>\n
\u673a\u5668\u89c4\u683c\uff1a
\n\u64cd\u4f5c\u7cfb\u7edf\uff1aUbuntu 18.04\uff0c\u5b89\u88c5\u5728VirtualBox\u4e0a
\n\u5185\u5b58\uff1a8196 MB
\nCPU\u6838\u5fc3\u6570\uff1a2
\nElasticsearch\u548cKibana\u7248\u672c\uff1a7.6.2<\/p>\n
\u4e3a\u4e86\u5728\u672c\u5730\u73af\u5883\u4e2d\u8fd0\u884c\uff0c\u6211\u4eec\u53ef\u4ee5\u65b9\u4fbf\u5730\u4f7f\u7528Docker\u6765\u8bbe\u7f6e\u73af\u5883\u3002<\/p>\n
\u251c\u2500\u2500 docker-compose.yml\r\n\u251c\u2500\u2500 elastalert\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 bin\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 elastalert-start.sh\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 elastic_search_status.sh\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 config\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 config.json\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 elastalert-test.yaml\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 elastalert.yaml\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 Dockerfile\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 pass\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 smtp_auth_user.yaml\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 rules\r\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 rule_templates\r\n\u251c\u2500\u2500 elasticsearch\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 config\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 elasticsearch.yml\r\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 Dockerfile\r\n\u251c\u2500\u2500 kibana\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 config\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 kibana.xml\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 Dockerfile\r\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 plugin\r\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 elastalert-kibana-plugin-1.1.0-7.6.2.zip\r\n<\/code><\/pre>\nElasticsearch: \u5f39\u6027\u641c\u7d22<\/h4>\nFROM docker.elastic.co\/elasticsearch\/elasticsearch:7.6.2\r\n<\/code><\/pre>\ncluster.name: \"docker-cluster\"<\/span>\r\nnode.name: \"node1\"<\/span>\r\nnode.master: true\r\n<\/span>node.data: true\r\n<\/span>network.host: 0.0.0.0\r\nnetwork.publish_host: _local_\r\ndiscovery.seed_hosts: [<\/span>\"172.40.0.2\"<\/span>]<\/span>\r\ncluster.initial_master_nodes: [<\/span>\"node1\"<\/span>]<\/span>\r\n<\/code><\/pre>\nKibana \u53ef\u89c6\u5316\u5de5\u5177<\/h4>\nFROM docker.elastic.co\/kibana\/kibana:7.6.2\r\n<\/code><\/pre>\n\u5728 kibana.xml \u6587\u4ef6\u4e2d\u58f0\u660e\u4f7f\u7528 elastalert-kibana-plugin\u3002<\/p>\n
server.name: kibana\r\nserver.host: \"0\"<\/span>\r\nelasticsearch.hosts: [<\/span> \"http:\/\/doc-elastic101:9200\"<\/span> ]<\/span>\r\nxpack.monitoring.ui.container.elasticsearch.enabled: true\r\n<\/span>elasticsearch.requestTimeout: 60000\r\n\r\n# elastalert-kibana-plugin<\/span>\r\nelastalert-kibana-plugin.serverHost: elastalert\r\nelastalert-kibana-plugin.serverPort: 3030\r\n<\/code><\/pre>\n\u63d2\u4ef6\/elastalert-kibana-plugin-1.1.0-7.6.2.zip \u5c06\u57fa\u4e8e\u524d\u4e00\u4e2a\u7248\u672c\u8fdb\u884c\u521b\u5efa\u3002<\/p>\n
# Download necessary files\r\ncd \/tmp\r\ncurl -L -O https:\/\/github.com\/bitsensor\/elastalert-kibana-plugin\/releases\/download\/1.1.0\/elastalert-kibana-plugin-1.1.0-7.5.0.zip\r\ncurl -L -O https:\/\/raw.githubusercontent.com\/mmguero-dev\/Malcolm\/development\/kibana\/elastalert-kibana-plugin\/server\/routes\/elastalert.js\r\n\r\n# update elasticsearch package to 7.6.2\r\nmv elastalert.js elastalert-server-routes.js\r\nmv elastalert-kibana-plugin-1.1.0-7.5.0.zip elastalert-kibana-plugin-1.1.0-7.6.2.zip\r\nunzip elastalert-kibana-plugin-1.1.0-7.6.2.zip kibana\/elastalert-kibana-plugin\/package.json\r\nsed -i \"s\/7\\.5\\.0\/7\\.6\\.2\/g\" kibana\/elastalert-kibana-plugin\/package.json\r\nmkdir -p kibana\/elastalert-kibana-plugin\/server\/routes\/\r\nmv \/tmp\/elastalert-server-routes.js kibana\/elastalert-kibana-plugin\/server\/routes\/elastalert.js\r\nzip elastalert-kibana-plugin-1.1.0-7.6.2.zip kibana\/elastalert-kibana-plugin\/package.json kibana\/elastalert-kibana-plugin\/server\/routes\/elastalert.js\r\n\r\n# delete remaining directory\r\nrm -rf kibana\r\n\r\n# copy the created package to your workspace\r\ncp \/tmp\/elastalert-kibana-plugin-1.1.0-7.6.2.zip {your_workspace}\/kibana\/plugin\r\n<\/code><\/pre>\n\u5f39\u6027\u8b66\u62a5<\/h4>\nFROM bitsensor\/elastalert:3.0.0-beta.1\r\n\r\nUSER root\r\n\r\nRUN apk update &&<\/span> \\<\/span>\r\n apk add bash curl &&<\/span> \\<\/span>\r\n rm<\/span> -rf<\/span> \/var\/cache\/apk\/*<\/span>\r\n\r\nADD elastalert\/bin\/elastalert-start.sh \/usr\/local\/bin\/\r\nADD elastalert\/bin\/elastic_search_status.sh \/usr\/local\/bin\/\r\n\r\nRUN chmod<\/span> +x \/usr\/local\/bin\/elastalert-start.sh \r\n\r\nUSER node\r\n\r\nENTRYPOINT [<\/span>\"\/usr\/local\/bin\/elastalert-start.sh\"<\/span>]<\/span>\r\n<\/code><\/pre>\n#!\/bin\/bash<\/span>\r\n\r\nset<\/span> -e<\/span>\r\n\r\necho<\/span> \"Giving Elasticsearch at <\/span>$ELASTICSEARCH_URL<\/span> time to start...\"<\/span>\r\n\r\nelastic_search_status.sh\r\n\r\necho<\/span> \"Starting ElastAlert!\"<\/span>\r\nnpm start\r\n<\/code><\/pre>\n#!\/bin\/bash<\/span>\r\n\r\nset<\/span> -e<\/span>\r\n\r\nif<\/span> [<\/span> $# <\/span>-gt<\/span> 0 ]<\/span>;<\/span> then\r\n <\/span>ES_URL<\/span>=<\/span>\"<\/span>$1<\/span>\"<\/span>\r\nelif<\/span> [[<\/span> -n<\/span> $ELASTICSEARCH_URL<\/span> ]]<\/span>;<\/span> then\r\n <\/span>ES_URL<\/span>=<\/span>\"<\/span>$ELASTICSEARCH_URL<\/span>\"<\/span>\r\nelif<\/span> [[<\/span> -n<\/span> $ES_HOST<\/span> ]]<\/span> &&<\/span> [[<\/span> -n<\/span> $ES_PORT<\/span> ]]<\/span>;<\/span> then\r\n <\/span>ES_URL<\/span>=<\/span>\"http:\/\/<\/span>$ES_HOST<\/span>:<\/span>$ES_PORT<\/span>\"<\/span>\r\nelse\r\n <\/span>ES_URL<\/span>=<\/span>\"http:\/\/doc-elastic101:9200\"<\/span>\r\nfi\r\n\r\nuntil<\/span> [[<\/span> \"<\/span>$(<\/span>curl -fsSL<\/span> \"<\/span>$ES_URL<\/span>\/_cat\/health?h=status\"<\/span> | sed<\/span> -r<\/span> 's\/^[[:space:]]+|[[:space:]]+$\/\/g'<\/span>)<\/span>\"<\/span> =<\/span>~ ^(<\/span>yellow|green)<\/span>$ <\/span>]]<\/span>;<\/span> do<\/span>\r\n # printf '+' >&2<\/span>\r\n sleep <\/span>1\r\ndone\r\n\r\n<\/span>echo<\/span> \"Elasticsearch is up and healthy at \"<\/span>$ES_URL<\/span>\"\"<\/span> ><\/span>&2\r\n<\/code><\/pre>\n{<\/span>\r\n \"appName\"<\/span>: \"elastalert-server\"<\/span>,\r\n \"port\"<\/span>: 3030,\r\n \"wsport\"<\/span>: 3333,\r\n \"elastalertPath\"<\/span>: \"\/opt\/elastalert\"<\/span>,\r\n \"verbose\"<\/span>: true<\/span>,\r\n \"es_debug\"<\/span>: false<\/span>,\r\n \"debug\"<\/span>: false<\/span>,\r\n \"rulesPath\"<\/span>: {<\/span>\r\n \"relative\"<\/span>: true<\/span>,\r\n \"path\"<\/span>: \"\/rules\"<\/span>\r\n }<\/span>,\r\n \"templatesPath\"<\/span>: {<\/span>\r\n \"relative\"<\/span>: true<\/span>,\r\n \"path\"<\/span>: \"\/rule_templates\"<\/span>\r\n }<\/span>,\r\n \"es_host\"<\/span>: \"elasticsearch\"<\/span>,\r\n \"es_port\"<\/span>: 9200,\r\n \"writeback_index\"<\/span>: \"elastalert_status\"<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n# NOTE: This config is used when testing a rule<\/span>\r\n\r\n# The elasticsearch hostname for metadata writeback<\/span>\r\n# Note that every rule can have its own elasticsearch host<\/span>\r\nes_host: doc-elastic101\r\n\r\n# The elasticsearch port<\/span>\r\nes_port: 9200\r\n\r\n# This is the folder that contains the rule yaml files<\/span>\r\n# Any .yaml file will be loaded as a rule<\/span>\r\nrules_folder: rules\r\n\r\n# How often ElastAlert will query elasticsearch<\/span>\r\n# The unit can be anything from weeks to seconds<\/span>\r\nrun_every:\r\n seconds: 5\r\n\r\n# ElastAlert will buffer results from the most recent<\/span>\r\n# period of time, in case some log sources are not in real time<\/span>\r\nbuffer_time:\r\n minutes: 1\r\n\r\n# Optional URL prefix for elasticsearch<\/span>\r\n#es_url_prefix: elasticsearch<\/span>\r\n\r\n# Connect with TLS to elasticsearch<\/span>\r\n#use_ssl: True<\/span>\r\n\r\n# Verify TLS certificates<\/span>\r\n#verify_certs: True<\/span>\r\n\r\n# GET request with body is the default option for Elasticsearch.<\/span>\r\n# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.<\/span>\r\n# See http:\/\/elasticsearch-py.readthedocs.io\/en\/master\/connection.html?highlight=send_get_body_as#transport<\/span>\r\n# for details<\/span>\r\n#es_send_get_body_as: GET<\/span>\r\n\r\n# Option basic-auth username and password for elasticsearch<\/span>\r\n#es_username: someusername<\/span>\r\n#es_password: somepassword<\/span>\r\n\r\n# The index on es_host which is used for metadata storage<\/span>\r\n# This can be a unmapped index, but it is recommended that you run<\/span>\r\n# elastalert-create-index to set a mapping<\/span>\r\nwriteback_index: elastalert_status\r\n\r\n# If an alert fails for some reason, ElastAlert will retry<\/span>\r\n# sending the alert until this time period has elapsed<\/span>\r\nalert_time_limit:\r\n days: 2\r\n<\/code><\/pre>\n# The elasticsearch hostname for metadata writeback<\/span>\r\n# Note that every rule can have its own elasticsearch host<\/span>\r\nes_host: doc-elastic101\r\n\r\n# The elasticsearch port<\/span>\r\nes_port: 9200\r\n\r\n# This is the folder that contains the rule yaml files<\/span>\r\n# Any .yaml file will be loaded as a rule<\/span>\r\nrules_folder: rules\r\n\r\n# How often ElastAlert will query elasticsearch<\/span>\r\n# The unit can be anything from weeks to seconds<\/span>\r\nrun_every:\r\n seconds: 5\r\n\r\n# ElastAlert will buffer results from the most recent<\/span>\r\n# period of time, in case some log sources are not in real time<\/span>\r\nbuffer_time:\r\n minutes: 1\r\n\r\n# Optional URL prefix for elasticsearch<\/span>\r\n#es_url_prefix: elasticsearch<\/span>\r\n\r\n# Connect with TLS to elasticsearch<\/span>\r\n#use_ssl: True<\/span>\r\n\r\n# Verify TLS certificates<\/span>\r\n#verify_certs: True<\/span>\r\n\r\n# GET request with body is the default option for Elasticsearch.<\/span>\r\n# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.<\/span>\r\n# See http:\/\/elasticsearch-py.readthedocs.io\/en\/master\/connection.html?highlight=send_get_body_as#transport<\/span>\r\n# for details<\/span>\r\n#es_send_get_body_as: GET<\/span>\r\n\r\n# Option basic-auth username and password for elasticsearch<\/span>\r\n#es_username: someusername<\/span>\r\n#es_password: somepassword<\/span>\r\n\r\n# The index on es_host which is used for metadata storage<\/span>\r\n# This can be a unmapped index, but it is recommended that you run<\/span>\r\n# elastalert-create-index to set a mapping<\/span>\r\nwriteback_index: elastalert_status\r\n\r\n# If an alert fails for some reason, ElastAlert will retry<\/span>\r\n# sending the alert until this time period has elapsed<\/span>\r\nalert_time_limit:\r\n days: 2\r\n<\/code><\/pre>\n\u7a0d\u540e\u4f1a\u63d0\u5230\uff0c\u7531\u4e8e\u6211\u60f3\u8981\u53d1\u9001\u90ae\u4ef6\u5230gmail\uff0c\u6211\u4f1a\u51c6\u5907\u4e00\u4e2a\u5305\u542b\u9a8c\u8bc1\u7528\u6237\u540d\u548c\u5bc6\u7801\u7684\u6587\u4ef6\u3002<\/p>\n
user: \"xxxx@gmail.com\"<\/span>\r\npassword: \"xxxx\"<\/span>\r\n<\/code><\/pre>\nversion: '3.2'<\/span>\r\nservices:\r\n elasticsearch:\r\n build:\r\n context: elasticsearch\/\r\n hostname<\/span>: doc-elastic101\r\n container_name: elastic1\r\n ports:\r\n - \"9200:9200\/tcp\"<\/span>\r\n - \"9300:9300\/tcp\"<\/span>\r\n networks:\r\n elk_nw:\r\n ipv4_address: 172.60.0.2\r\n volumes:\r\n - type<\/span>: bind\r\n source<\/span>: .\/elasticsearch\/config\/elasticsearch.yml\r\n target: \/usr\/share\/elasticsearch\/config\/elasticsearch.yml\r\n read_only: true<\/span>\r\n - type<\/span>: volume\r\n source<\/span>: elasticsearch-data\r\n target: \/usr\/share\/elasticsearch\/data\r\n extra_hosts:\r\n - \"doc-kibana101:172.60.0.4\"<\/span>\r\n\r\n kibana:\r\n build:\r\n context: kibana\/\r\n hostname<\/span>: doc-kibana101\r\n container_name: kibana1\r\n command<\/span>: sh -c<\/span> '.\/bin\/kibana-plugin list | grep elastalert-kibana-plugin@1.1.0; result=`echo $$?`; if [ $$result = 1 ]; then .\/bin\/kibana-plugin install file:\/\/\/usr\/share\/kibana\/work\/elastalert-kibana-plugin-1.1.0-7.6.2.zip && exec \/usr\/local\/bin\/kibana-docker; else exec \/usr\/local\/bin\/kibana-docker; fi'<\/span>\r\n ports:\r\n - \"5601:5601\/tcp\"<\/span>\r\n networks:\r\n elk_nw:\r\n ipv4_address: 172.60.0.4\r\n volumes:\r\n - type<\/span>: