ELK Sentinl报警

ELK Sentinl报警

八月 23, 2018

环境:
elasticsearch-6.3.1.rpm
kibana-6.2.2-x86_64.rpm (kibana-6.3.1-x86_64.rpm安装sentinel失败)
td-agent-3.2.0-0.el7.x86_64.rpm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#  /usr/share/kibana/bin/kibana-plugin install https://github.com/sirensolutions/sentinl/releases/download/tag-6.2.2/sentinl-v6.2.2.zip

# cat /etc/kibana/kibana.yml
sentinl:
  settings:
    email:
      active: true
      user: zhaodan@XX.cn
      password: ********
      host: smtp.exmail.qq.com
      ssl: true
      timeout: 10000
    report:
      active: false
#      tmp_path: /tmp/

server.port: 5601
server.host: “172.x.x.x"
elasticsearch.url: "http://172.x.x.x:9200”
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
{
  "actions": {
    "apache-arm": {
      "throttle_period": "0h15m0s",
      "email": {
        "to": "zhaodan@xx.cn",
        "from": "zhaodan@xx.cn",
        "subject": "Alarm",
        "priority": "high",
        "body": "Found {{payload.hits.total}} Events"
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "index": [
          "fluentd-apache*"
        ],
        "body": {
          "size": 100,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "now-1h"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "script": "payload.hits.total > 100"
    }
  },
  "transform": {},
  "trigger": {
    "schedule": {
      "later": "every 5 minutes"
    }
  },
  "disable": false,
  "report": false,
  "title": "fluentd-apache"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# yum install httpd

# cat /etc/td-agent/td-agent.conf
<source>
  @type forward
  port 24224
</source>
####################################
<source>
  @type tail
  path /var/log/httpd/access_log
  pos_file /var/log/td-agent/httpd-access.log.pos
  tag apache.access
  <parse>
    @type apache2
  </parse>
</source>
####################################
<match debug.**>
  @type stdout
</match>
####################################
<match *.**>
  @type copy
  <store>
    @type elasticsearch
    host 172.x.x.x
    port 9200
    logstash_format true
    logstash_prefix fluentd-${tag}
    logstash_dateformat %Y%m%d
    include_tag_key true
    type_name access_log
    tag_key @log_name
    flush_interval 1s
  </store>
  <store>
    @type stdout
  </store>
</match>

sentinl1.png
sentinl2.png
sentinl3.png
sentinl4.png