Reference:
yum install -y python36 gcc python36-devel git
python3 -m pip install --upgrade pip
pip3 install elastalert
mkdir elastalert
cd elastalert
git clone https://github.com/Yelp/elastalert.git
cd elastalert
cp config.yaml.example config.yaml
mkdir rules
vi config.yaml
rules_folder: rules
es_host: elk01.domain.com
use_ssl: True
es_username: elastic
es_password: your_passwd
verify_certs: True
ca_certs: /root/elastalert/cert/ca.crt
client_cert: /root/elastalert/cert/elk01.crt
client_key: /root/elastalert/cert/elk01.key
創建 elastalert 的日誌索引
elastalert-create-index
vi /etc/systemd/system/elastalert.service
[Unit]
Description=elastalert
After=elasticsearch.service
[Service]
Type=simple
User=root
Group=root
Restart=on-failure
WorkingDirectory=/root/elastalert/elastalert
ExecStart=/usr/bin/python3 -m elastalert.elastalert --verbose --config /root/elastalert/elastalert/config.yaml
[Install]
WantedBy=multi-user.target
systemctl enable elastalert
systemctl start elastalert
建立 alert rules
cp example_rules/example_frequency.yaml rules/login_fail_frequency.yaml
vi rules/login_fail_frequency.yaml
es_host: elk01.domain.com
use_ssl: True
es_username: elastic
es_password: your_passwd
es_password: your_passwd
name: login_fail_frequency
type: frequency
index: winlogbeat*
num_events: 5
timeframe:
hours: 1
filter:
- term:
event.code: "4625" #login fail
hours: 1
filter:
- term:
event.code: "4625" #login fail
alert:
- "email"
- "email"
email:
- "alert@domain.com"
- "alert@domain.com"
#smtp server
smtp_host: your_mail_server
smtp_port: 25
from_addr: "elastalert@domain.com"
alert_subject: "login fail over 5 times"
smtp_host: your_mail_server
smtp_port: 25
from_addr: "elastalert@domain.com"
alert_subject: "login fail over 5 times"
systemctl restart elastalert
2022/1/15 update:
Filesystem usage over 80% example.
name: filesystem_usage
type: frequency
index: metricbeat*
num_events: 5
timeframe:
hours: 1
hours: 1
query_key: [host.name, system.filesystem.mount_point]
realert:
minutes: 10
realert:
minutes: 10
filter:
- range:
system.filesystem.used.pct:
from: 0.8
to: 1.0
alert:
- "email"
email_format: html
- range:
system.filesystem.used.pct:
from: 0.8
to: 1.0
alert:
- "email"
email_format: html
alert_text_type: alert_text_only
alert_text_args:
- "host.name"
- "host.ip"
- "system.filesystem.mount_point"
- "system.filesystem.used.pct"
alert_text: "
hostname: {0}<br>
host.ip: {1}<br>
mount_point: {2}<br>
used.pct: {3:.2%}" #用python formating syntax轉為百分比
- "host.name"
- "host.ip"
- "system.filesystem.mount_point"
- "system.filesystem.used.pct"
alert_text: "
hostname: {0}<br>
host.ip: {1}<br>
mount_point: {2}<br>
used.pct: {3:.2%}" #用python formating syntax轉為百分比
Reference:
沒有留言:
張貼留言