标签:elk elastalert elasticsearch
接第一篇,之前已经创建好规则了,这篇主要讲如何把安装的elastalert用起来。
创建规则
每个规则定义要执行的查询,触发匹配的参数,以及每个匹配的触发警报列表。 我们将使用example_rules / example_frequency.yaml作为模板:
# (Required) # Rule name, must be unique name: Example frequency rule # (Required) # Type of alert. # the frequency rule type alerts when num_events events occur with timeframe time type: frequency # (Required) # Index to search, wildcard supported index: logstash-* # (Required, frequency specific) # Alert when this many documents matching the query occur within a timeframe num_events: 50 # (Required, frequency specific) # num_events must occur within this amount of time to trigger an alert timeframe: hours: 4 # (Required) # A list of Elasticsearch filters used for find events # These filters are joined with AND and nested in a filtered query # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html filter: - term: some_field: "some_value" # (Required) # The alert is use when a match is found alert: - "email" # (required, email specific) # a list of email addresses to send alerts to email:
本文出自 “小科” 博客,请务必保留此出处http://kexiaoke.blog.51cto.com/5530023/1977815
标签:elk elastalert elasticsearch
原文地址:http://kexiaoke.blog.51cto.com/5530023/1977815
