ElasticAlert2-ELK告警+webhook配置

两行法桐2026-06-11 10:05

ELK告警+webhook配置

shell 复制代码

mkdir /opt/elasticalert2/rules -p
cd /opt/elasticalert2
vim elastalert.yaml

shell 复制代码

rules_folder: /opt/elastalert/rules

run_every:
  seconds: 10

buffer_time:
  minutes: 15

es_host: 10.2.209.146
es_port: 9200
es_username: elastic
es_password: password


writeback_index: elastalert_status

alert_time_limit:
  days: 2

配置规则

plain 复制代码

cd /opt/elasticalert2/rules
vim  bi_error_log_alert.yaml

shell 复制代码

name: "a" 
type: "frequency"
index: "app_service-*"  ##要监控的索引模式
is_enabled: true
num_events: 2
timeframe:
  minutes: 1
filter:
  - query:
      query_string:
        query: "message: \"ERROR\" and \"Exception\""  ##筛选到异常时候
## webhook告警
alert: post2
http_post2_url: "http://10.2.203.133:9669/omp/esAlert/receive"
http_post2_payload:
  content: "{{message}}"   ##把符合筛选的日志不修改直接转发

部署

shell 复制代码

docker run -d --name elastalert2 --restart=always \
-v /opt/elasticalert2/elastalert.yaml:/opt/elastalert/config.yaml \
-v /opt/elasticalert2/rules:/opt/elastalert/rules \
ghcr.io/jertel/elastalert2/elastalert2 --verbose

参考资料：

Getting Started --- ElastAlert 2 0.0.1 documentation

ELK告警设置-Elastaler2 - 自行车骑手 - 博客园