update elastalert

2026-01-03 11:34:57 +01:00 · 2019-10-30 16:11:49 +08:00
parent 32a80c9b5f
commit 3e1c0d9d79
11 changed files with 110 additions and 23 deletions
--- a/elastalert/Dockerfile
+++ b/elastalert/Dockerfile
@@ -0,0 +1,29 @@
+#
+# Dockerfile for elastalert
+#
+
+FROM python:3.6-alpine
+
+ENV ELASTALERT_VERSION=v0.2.1
+ENV ELASTALERT_HOME=/opt/elastalert
+
+WORKDIR ${ELASTALERT_HOME}
+
+RUN set -xe \
+    && apk add --no-cache -t .build-deps \
+        build-base \
+        curl \
+        libffi-dev \
+        libmagic \
+        musl-dev \
+        openssl-dev \
+        python-dev \
+        tzdata \
+    && pip install elastalert==${ELASTALERT_VERSION} \
+    && mkdir -p rules \
+    && curl -sSL https://github.com/Yelp/elastalert/raw/${ELASTALERT_VERSION}/config.yaml.example > config.yaml \
+    && apk del .build-deps
+
+VOLUME ${ELASTALERT_HOME}
+
+CMD ["elastalert", "--config", "config.yaml"]
--- a/elastalert/README.md
+++ b/elastalert/README.md
@@ -10,7 +10,7 @@ patterns of interest from data in Elasticsearch.
 $ docker-compose up -d
 $ docker-compose exec elastalert sh
 >>> cd /opt/elastalert/rules
->>> elastalert-test-rule xxx.yaml
+>>> elastalert-test-rule example.yaml
 >>> exit
 ```

--- a/elastalert/data/config.yaml
+++ b/elastalert/data/config.yaml
@@ -12,7 +12,7 @@ rules_folder: rules
 # How often ElastAlert will query elasticsearch
 # The unit can be anything from weeks to seconds
 run_every:
-  seconds: 60
+  minutes: 1

 # ElastAlert will buffer results from the most recent
 # period of time, in case some log sources are not in real time
--- a/elastalert/data/rules/example.yaml
+++ b/elastalert/data/rules/example.yaml
@@ -0,0 +1,25 @@
+name: Example rule
+
+es_host: elasticsearch
+es_port: 9200
+
+type: frequency
+
+index: logstash-*
+
+num_events: 10
+
+timeframe:
+  hours: 1
+
+filter:
+- query:
+    query_string:
+      query: 'response:[500 TO *]'
+
+alert:
+- command
+
+command:
+- echo
+- "{match[@timestamp]} {match[message]}"
--- a/elastalert/docker-compose.yml
+++ b/elastalert/docker-compose.yml
@@ -1,13 +1,13 @@
-elastalert:
-  image: bitsensor/elastalert:2.0.0
-  ports:
-    - "3030:3030"
-    - "3333:3333"
-  volumes:
-    - ./data/config.yaml:/opt/elastalert/config.yaml
-    - ./data/rules:/opt/elastalert/rules
-  external_links:
-    - elk_elasticsearch_1:elasticsearch
-# extra_hosts:
-#   - elasticsearch:1.2.3.4
-  restart: always
+version: "3.7"
+
+services:
+  elastalert:
+    image: vimagick/elastalert
+    volumes:
+      - ./data:/opt/elastalert
+    restart: unless-stopped
+
+networks:
+  default:
+    external:
+      name: elk_default