文章目录
有两种方法:
方法1:直接使用官方Dockerfile自建镜像。有缺点:可能无法构建镜像,毕竟是在国内,可以用国外的服务器创建镜像
bash
git clone https://github.com/gpYang/elastalert-feishu-plugin
git clone https://github.com/jertel/elastalert2
[root@yinjiaxing elastalert2]# ls
CHANGELOG.md CONTRIBUTING.md docs elastalert-feishu-plugin LICENSE README.md requirements.txt setup.cfg tests
chart Dockerfile elastalert examples Makefile requirements-dev.txt SECURITY.md setup.py
[root@yinjiaxing elastalert2]# pwd
/opt/elastalert2/elastalert2
[root@yinjiaxing elastalert2]# cat Dockerfile
FROM python:3.10-slim as builder
LABEL description="ElastAlert 2 Official Image"
LABEL maintainer="Jason Ertel"
# 复制整个项目代码到构建镜像中
COPY . /tmp/elastalert
RUN mkdir -p /opt/elastalert && \
cd /tmp/elastalert && \
pip install --upgrade pip setuptools wheel && \
python setup.py sdist bdist_wheel
FROM python:3.10-slim
ARG GID=1000
ARG UID=1000
ARG USERNAME=elastalert
# 从构建阶段拷贝打包好的 elastalert 包
COPY --from=builder /tmp/elastalert/dist/*.tar.gz /tmp/
RUN apt update && apt -y upgrade && \
apt -y install jq curl gcc libffi-dev && \
rm -rf /var/lib/apt/lists/* && \
pip install /tmp/*.tar.gz && \
rm -rf /tmp/* && \
apt -y remove gcc libffi-dev && \
apt -y autoremove && \
mkdir -p /opt/elastalert && \
echo "#!/bin/sh" > /opt/elastalert/run.sh && \
echo "set -e" >> /opt/elastalert/run.sh && \
echo "elastalert-create-index --config /opt/elastalert/config.yaml" >> /opt/elastalert/run.sh && \
echo "exec elastalert --config /opt/elastalert/config.yaml \"\$@\"" >> /opt/elastalert/run.sh && \
chmod +x /opt/elastalert/run.sh && \
groupadd -g ${GID} ${USERNAME} && \
useradd -u ${UID} -g ${GID} -M -b /opt -s /sbin/nologin \
-c "ElastAlert 2 User" ${USERNAME}
# 复制自定义 ElastAlert 插件模块,elastalert_modules是使用git clone下载的
COPY ./elastalert-feishu-plugin/elastalert_modules/feishu_alert.py /usr/local/lib/python3.13/site-packages/elastalert/elastalert_modules/
COPY ./elastalert-feishu-plugin/elastalert_modules/__init__.py /usr/local/lib/python3.13/site-packages/elastalert/elastalert_modules/
USER ${USERNAME}
ENV TZ "UTC"
WORKDIR /opt/elastalert
ENTRYPOINT ["/opt/elastalert/run.s方法2:直接使用镜像,只需要docker pull,然后拉取elastalert_modules,启动容器后将elastalert_modules放到容器中
bash
docker pull jertel/elastalert2
# 可以使用docker-compose启动
[root@ops elastalert]# cat config.yaml
rules_folder: /opt/elastalert/rules
run_every:
seconds: 30
buffer_time:
minutes: 2
es_host: 172.18.xxx
es_port: 9200
es_username: "elastic"
es_password: "Sxxxxxxxxxxx"
writeback_index: elastalert_status
max_scrolling_count: 1
alert_time_limit:
days: 2
#下面的docker-compose文件内容是自建的镜像而创建的容器
[root@ops elastalert]# cat docker-compose.yml
version: '3.8'
services:
elastalert:
container_name: elastalertfs
image: elastalertfs:1.0
pull_policy: never
restart: always
volumes:
- /opt/elastalert/config.yaml:/opt/elastalert/config.yaml
- /opt/elastalert/rules:/opt/elastalert/rules
- /etc/localtime:/etc/localtime
[root@ops elastalert]#
如果是使用docker pull拉的jertel/elastalert2,还需要拉取git clone https://github.com/gpYang/elastalert-feishu-plugin,然后需要将elastalert-feishu-plugin下的feishu_alert.py cp到jertel/elastalert2(可以先启动容器,然后cp进去,因为飞书告警中需要用到feishu_alert.py中的模板)。
举例:
root@7a58e59f9e85:/opt/elastalert/rules# cat ToolsAppStatus500.yaml
name: nginx-access-alert
type: frequency
index: nginx-*
description: "1分钟内 xx.xx 域名状态码500访问超过5次告警"
#统计过去一分钟数量
timeframe:
minutes: 1
#10分钟内不重复告警
realert:
minutes: 10
query_key: server_name
filter:
- query:
query_string:
query: 'server_name:/.*\.txxxxp\.cn/ AND status:500'
#触发告警的阈值
num_events: 5
alert_text_type: alert_text_only
alert_text: |
【告警主题】 1分钟内500状态码异常访问告警
【告警条件】 异常访问日志1分钟内大于5次
【告警时间(UTC)】 {}
【告警域名】 {}
【状态码】 {}
【异常状态码数量】 {}
# 变量
alert_text_args:
- "@timestamp"
- server_name
- status
- num_hits
include:
- server_name
- status
alert:
# - debug
- "elastalert_modules.feishu_alert.FeishuAlert" # 需要用到elastalert_modules了
feishualert_url: "https://open.feishu.cn/open-apis/bot/v2/hook/"
feishualert_botid: "dcxxxxxxxxxxxxx19fe9"
feishualert_title: "1分钟内500状态码异常访问告警"
feishualert_body:
"
【告警主题】: 1分钟内500状态码异常访问告警\n
【告警条件】: 异常访问日志1分钟内大于5次\n
【告警时间】: {feishualert_time}\n
【告警域名】: {server_name}\n
【状态码】: {status}\n
【异常状态码数量】: {num_hits}
"实现效果:
