elastalert实现飞书机器人告警-docker
文章目录
有两种方法:
方法1:直接使用官方Dockerfile自建镜像。有缺点:可能无法构建镜像,毕竟是在国内,可以用国外的服务器创建镜像
git clone https://github.com/gpYang/elastalert-feishu-plugin
git clone https://github.com/jertel/elastalert2[root@yinjiaxing elastalert2]# ls
CHANGELOG.md CONTRIBUTING.md docs elastalert-feishu-plugin LICENSE README.md requirements.txt setup.cfg tests
chart Dockerfile elastalert examples Makefile requirements-dev.txt SECURITY.md setup.py
[root@yinjiaxing elastalert2]# pwd
/opt/elastalert2/elastalert2
[root@yinjiaxing elastalert2]# cat Dockerfile
FROM python:3.10-slim as builderLABEL description="ElastAlert 2 Official Image"
LABEL maintainer="Jason Ertel"# 复制整个项目代码到构建镜像中
COPY . /tmp/elastalertRUN mkdir -p /opt/elastalert && \cd /tmp/elastalert && \pip install --upgrade pip setuptools wheel && \python setup.py sdist bdist_wheelFROM python:3.10-slimARG GID=1000
ARG UID=1000
ARG USERNAME=elastalert# 从构建阶段拷贝打包好的 elastalert 包
COPY --from=builder /tmp/elastalert/dist/*.tar.gz /tmp/RUN apt update && apt -y upgrade && \apt -y install jq curl gcc libffi-dev && \rm -rf /var/lib/apt/lists/* && \pip install /tmp/*.tar.gz && \rm -rf /tmp/* && \apt -y remove gcc libffi-dev && \apt -y autoremove && \mkdir -p /opt/elastalert && \echo "#!/bin/sh" > /opt/elastalert/run.sh && \echo "set -e" >> /opt/elastalert/run.sh && \echo "elastalert-create-index --config /opt/elastalert/config.yaml" >> /opt/elastalert/run.sh && \echo "exec elastalert --config /opt/elastalert/config.yaml \"\$@\"" >> /opt/elastalert/run.sh && \chmod +x /opt/elastalert/run.sh && \groupadd -g ${GID} ${USERNAME} && \useradd -u ${UID} -g ${GID} -M -b /opt -s /sbin/nologin \-c "ElastAlert 2 User" ${USERNAME}# 复制自定义 ElastAlert 插件模块,elastalert_modules是使用git clone下载的
COPY ./elastalert-feishu-plugin/elastalert_modules/feishu_alert.py /usr/local/lib/python3.13/site-packages/elastalert/elastalert_modules/
COPY ./elastalert-feishu-plugin/elastalert_modules/__init__.py /usr/local/lib/python3.13/site-packages/elastalert/elastalert_modules/USER ${USERNAME}
ENV TZ "UTC"WORKDIR /opt/elastalert
ENTRYPOINT ["/opt/elastalert/run.s
方法2:直接使用镜像,只需要docker pull,然后拉取elastalert_modules,启动容器后将elastalert_modules放到容器中
docker pull jertel/elastalert2# 可以使用docker-compose启动
[root@ops elastalert]# cat config.yaml
rules_folder: /opt/elastalert/rulesrun_every:seconds: 30
buffer_time:minutes: 2
es_host: 172.18.xxx
es_port: 9200
es_username: "elastic"
es_password: "Sxxxxxxxxxxx"
writeback_index: elastalert_status
max_scrolling_count: 1
alert_time_limit:days: 2#下面的docker-compose文件内容是自建的镜像而创建的容器
[root@ops elastalert]# cat docker-compose.yml
version: '3.8'services:elastalert:container_name: elastalertfsimage: elastalertfs:1.0pull_policy: neverrestart: alwaysvolumes:- /opt/elastalert/config.yaml:/opt/elastalert/config.yaml- /opt/elastalert/rules:/opt/elastalert/rules- /etc/localtime:/etc/localtime
[root@ops elastalert]# 如果是使用docker pull拉的jertel/elastalert2,还需要拉取git clone https://github.com/gpYang/elastalert-feishu-plugin,然后需要将elastalert-feishu-plugin下的feishu_alert.py cp到jertel/elastalert2(可以先启动容器,然后cp进去,因为飞书告警中需要用到feishu_alert.py中的模板)。
举例:
root@7a58e59f9e85:/opt/elastalert/rules# cat ToolsAppStatus500.yaml
name: nginx-access-alert
type: frequencyindex: nginx-*description: "1分钟内 xx.xx 域名状态码500访问超过5次告警"#统计过去一分钟数量
timeframe:minutes: 1#10分钟内不重复告警
realert:minutes: 10
query_key: server_namefilter:
- query:query_string:query: 'server_name:/.*\.txxxxp\.cn/ AND status:500'#触发告警的阈值
num_events: 5alert_text_type: alert_text_onlyalert_text: |【告警主题】 1分钟内500状态码异常访问告警【告警条件】 异常访问日志1分钟内大于5次【告警时间(UTC)】 {}【告警域名】 {}【状态码】 {}【异常状态码数量】 {}# 变量
alert_text_args:- "@timestamp"- server_name- status- num_hitsinclude:
- server_name
- statusalert:# - debug- "elastalert_modules.feishu_alert.FeishuAlert" # 需要用到elastalert_modules了
feishualert_url: "https://open.feishu.cn/open-apis/bot/v2/hook/"
feishualert_botid: "dcxxxxxxxxxxxxx19fe9"feishualert_title: "1分钟内500状态码异常访问告警"
feishualert_body:"【告警主题】: 1分钟内500状态码异常访问告警\n【告警条件】: 异常访问日志1分钟内大于5次\n【告警时间】: {feishualert_time}\n【告警域名】: {server_name}\n【状态码】: {status}\n【异常状态码数量】: {num_hits}"实现效果:
