elk報警監控之sentinl 釘釘報警配置

elk報警監控之sentinl 釘釘報警配置

1.安裝sentinl

可以在線安裝 ./kibana-plugin install <https://github.com/sirensolutions/sentinl/releases/download/tag-6.2.3-3/sentinl-v6.2.4.zip&gt;

也可以離線安裝 ./kibana-plugin install file:../../sentinl-v6.2.4.zip file 關鍵字不能漏掉

[root@elk-181 bin]# ./kibana-plugin install file:/root/sentinl-v6.2.4.zip   
Attempting to transfer from file:/root/sentinl-v6.2.4.zip  
Transferring 130048021 bytes....................  
Transfer complete  
Retrieving metadata from plugin archive  
Extracting plugin archive  
Extraction complete  
Optimizing and caching browser bundles...  
Plugin installation complete

安裝sentinl後kibana可能會關閉， 啓動kibana

2.配置sentinl

1）.添加一個釘釘機器人

2）.添加一個Watchers

點擊new-> 點擊watchers前面的”加號“

將下方代碼copy其中，記住選中enadle，然後選擇保存，下次每次更改可以去input，action中直接更改保存。

{
  "actions": {
    "test-dingding": {
      "name": "waring_error_log_push_dingding",
      "throttle_period": "0h1m0s",
      "webhook": {
        "priority": "high",
        "stateless": false,
        "method": "POST",
        "host": "oapi.dingtalk.com",
        "port": "443",
        "path": "/robot/send?access_token=fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "body": " {\"msgtype\": \"markdown\",\"markdown\": {\"title\":\"DEV_time.out\",\"text\": \"# Dev預警 \\t\\n ### 主機 | ```\\n{{payload.hits.hits.0._index}}\\n``` | \\t\\n ### Project | ```\\n{{payload.hits.hits.0._source.service}}\\n``` | \\t\\n ### 最近一分鐘發生次數 | ```\\n{{payload.hits.total}}\\n``` | \\t\\n ### 告警內容:```\\n{{payload.hits.hits.0._source.message}}\\n``` \\t\\n \"      }  }",
        "params": {
          "watcher": "{{watcher.title}}",
          "payload_count": "{{payload.hits.total}}"
        },
        "headers": {
          "Content-Type": "application/json"
        },
        "auth": "釘釘賬號:釘釘密碼",
        "message": "業務功能告警",
        "use_https": true,
        "save_payload": false
      }
    }
  },
  "input": {
    "search": {
      "request": {
        "index": [
          "applog-*"
        ],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "analyze_wildcard": true,
                    "query": "\"error\""
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1h",
                      "lte": "now",
                      "format": "epoch_millis"
                    }
                  }
                }
              ],
              "must_not": []
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "script": "payload.hits.total >=1"
    }
  },
  "transform": {},
  "trigger": {
    "schedule": {
      "later": "every 20 minutes"
    }
  },
  "disable": true,
  "report": false,
  "title": "警告和錯誤日誌推送釘釘"
}

input

condition

action

3.測試