ELK基於X-Pack Watcher 日誌監控釘釘報警

參考
https://help.aliyun.com/document_detail/74927.html?spm=a2c4g.11186623.6.639.47e8266aHAxbMV

安裝nginx 和 配置nginx

user www www;
worker_processes 8; #設置值和CPU核心數一致
error_log /usr/local/webserver/nginx/logs/nginx_error.log crit; #日誌位置和日誌級別
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
  use epoll;
  worker_connections 65535;
}
http
{
  include mime.types;
  default_type application/octet-stream;
  log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';
  
#charset gb2312;
     
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;
     
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 60;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  gzip on; 
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types text/plain application/x-javascript text/css application/xml;
  gzip_vary on;
 
  #limit_zone crawler $binary_remote_addr 10m;
 #下面是server虛擬主機的配置
 server
  {
    listen 80;#監聽端口
    server_name 127.0.0.1;#域名
    index index.html index.htm index.php;
    root /usr/local/webserver/nginx/html;#站點目錄
      location ~ .*\.(php|php5)?$
    {
      #fastcgi_pass unix:/tmp/php-cgi.sock;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
  # access_log off;
    }
    location / {
      allow 192.168.0.0/16;
      allow 172.18.0.0/16;
      deny all;
      proxy_pass <釘釘機器人地址>;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
   # access_log off;
    }
    access_log off;
  }

}

## 備註 ###
nginx 只准內網訪問  （添加安全組或以下方法）
#配置清單
location / {
  # block one workstation 禁止單個ip
  deny    192.168.0.1;
  # allow anyone in 192.168.1.0/24
  allow   192.168.0.0/16;
  # drop rest of the world
  deny    all;
}
 

kibana 配置報警文檔
在左側菜單欄，單擊Dev Tools（開發工具）。
在Console中執行如下命令創建一個報警文檔。
以下示例以創建s1爲例，每隔1800s查詢logs索引中是否出現error日誌，如果出現5次以上則觸發報警。

PUT _xpack/watcher/watch/s1
{
  "trigger": {
    "schedule": {
      "interval": "1800s"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": ["s1-*"],
        "body": {
          "query": {
            "match": {
              "message": "error"
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 5
      }
    }
  },
  "actions" : {
  "test_issue" : {
    "webhook" : {
      "method" : "POST",
      "url" : "http://192.168.0.5:80",
      "body" : "{\"msgtype\": \"text\", \"text\": { \"content\": \"s1 error 日誌出現了(30分鐘內大於5次），請儘快處理\"}}"
    }
  }
}
}

刪除

DELETE _xpack/watcher/watch/s1

查詢

GET _xpack/watcher/watch/s1