[Elastalert] 설치

python3-pip 설치

sudo apt-get install -y python3-pip

elastalert 설치

pip3 install elastalert

환경변수 설정

vi ~/.profile

export PIP_MODULE_HOME=/home/ubuntu/.local

export PATH=$PATH:PIP_MODULE_HOME/bin

source ~/.profile

config.yaml 작성

• 경로 : /home/ubuntu/elastalert/config.yaml

wget https://raw.githubusercontent.com/Yelp/elastalert/master/config.yaml.example \
&& mv config.yaml.example config.yaml

# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: /home/ubuntu/elastalert/rules

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
  minutes: 1

# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
  minutes: 15

# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: elasticsearch.example.com

# The Elasticsearch port
es_port: 9200

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 2

rule.yaml 작성

• 경로 : /home/ubuntu/elastalert/rules/nginx-response-fail-rule.yaml

# Alert when the rate of events exceeds a threshold

# (Required)
# Rule name, must be unique
name: nginx-response-fail-rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
# type: frequency
type: frequency

# (Required)
# Index to search, wildcard supported
index: nginx-log-*

# use_strftime_index: true

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  hours: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
    query_string:
        query: "!response_code: 200"

# (Required)
# The alert is use when a match is found
alert:
- command

# match[@timestamp]나 %(@timestamp)s가 잘 작동 안함...
command: "echo Hello World >> /home/ubuntu/elastalert/alert.log"

elastalert 관련 인덱스 생성

• elasticsearch에 elastalert_** 인덱스 생성

elastalert-create-index --config /home/ubuntu/elastalert/config.yaml

elastalert 설정 테스트

elastalert-test-rule --config \
/home/ubuntu/elastalert/config.yaml \
/home/ubuntu/elastalert/rules/nginx-response-fail-rule.yaml

elastalert 실행

elastalert --verbose --config /home/ubuntu/elastalert/config.yaml

alert.log 파일 생성되는지 확인

cat /home/ubuntu/elastalert/alert.log