add elastalert

2025-02-03 13:21:49 +02:00 · 2018-08-01 16:03:18 +08:00 · 2018-08-01 16:03:18 +08:00 · f77e38fea7
commit f77e38fea7
parent d90056efe5
4 changed files with 74 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -254,6 +254,7 @@ A collection of delicious docker recipes.
 - [x] puckel/docker-airflow
 - [x] drone/drone
 - [x] drupal
+- [x] elastalert
 - [x] elk
 - [x] ghost
 - [x] gitlab/gitlab-ce
--- a/elastalert/README.md
+++ b/elastalert/README.md
@ -0,0 +1,13 @@
+ElastAlert
+==========
+
+http://elastalert.readthedocs.io/en/latest/
+
+```bash
+$ docker-compose up -d
+$ docker-compose exec elastalert sh
+>>> cd /opt/elastalert/rules
+>>> elastalert-test-rule xxx.yaml
+>>> exit
+$ docker-compose restart
+```
--- a/elastalert/data/config.yaml
+++ b/elastalert/data/config.yaml
@ -0,0 +1,49 @@
+# The elasticsearch hostname for metadata writeback
+# Note that every rule can have its own elasticsearch host
+es_host: elasticsearch
+
+# The elasticsearch port
+es_port: 9200
+
+# This is the folder that contains the rule yaml files
+# Any .yaml file will be loaded as a rule
+rules_folder: rules
+
+# How often ElastAlert will query elasticsearch
+# The unit can be anything from weeks to seconds
+run_every:
+  seconds: 60
+
+# ElastAlert will buffer results from the most recent
+# period of time, in case some log sources are not in real time
+buffer_time:
+  minutes: 15
+
+# Optional URL prefix for elasticsearch
+#es_url_prefix: elasticsearch
+
+# Connect with TLS to elasticsearch
+#use_ssl: True
+
+# Verify TLS certificates
+#verify_certs: True
+
+# GET request with body is the default option for Elasticsearch.
+# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
+# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
+# for details
+#es_send_get_body_as: GET
+
+# Option basic-auth username and password for elasticsearch
+#es_username: someusername
+#es_password: somepassword
+
+# The index on es_host which is used for metadata storage
+# This can be a unmapped index, but it is recommended that you run
+# elastalert-create-index to set a mapping
+writeback_index: elastalert_status
+
+# If an alert fails for some reason, ElastAlert will retry
+# sending the alert until this time period has elapsed
+alert_time_limit:
+  hours: 2
--- a/elastalert/docker-compose.yml
+++ b/elastalert/docker-compose.yml
@ -0,0 +1,11 @@
+elastalert:
+  image: bitsensor/elastalert
+  ports:
+    - "3030:3030"
+  volumes:
+    - ./data/config.yaml:/opt/elastalert/config.yaml
+    - ./data/rules:/opt/elastalert/rules
+  environment:
+    - ES_HOST=elasticsearch
+    - ES_PORT=9200
+  restart: always