Kibana Sentinl插件引入

发表于

Sentinl是Kibana免费的监控预警与报告插件,与付费软件X-Pack功能类似, 可实现监控日志,通知报警邮件。
安装配置参考, 安装完成后,Kibana显示如下:
kibana_sentinl_ui
每项监控通过配置Raw,实现报警,示例如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
{
  "_index": "watcher",
  "_type": "sentinl-watcher",
  "_id": "AWcbOmz6-WMy9YXsVllm",
  "_version": 1,
  "found": true,
  "_source": {
    "title": "测试服务,容器error日志",
    "disable": false,
    "report": false,
    "trigger": {
      "schedule": {
        "later": "every 5 mins"
      }
    },
    "input": {
      "search": {
        "request": {
          "index": [
            "<logstash-{now/d}>",
            "<logstash-{now/d-1d}>"
          ],
          "body": {
            "query": {
              "bool": {
                "must": [
                  {
                    "query_string": {
                      "query": "source: TestServer.error.log AND message:error AND host:*node*",
                      "analyze_wildcard": true
                    }
                  },
                  {
                    "range": {
                      "@timestamp": {
                        "from": "now-5m"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": {
        "script": "payload.hits.total > 3"
      }
    },
    "actions": {
      "TestServer_error_log-email": {
        "throttle_period": "0h5m0s",
        "email": {
          "to": "$receive_email_address",
          "from": "$send_email_address",
          "subject": "测试服务 20分钟内有3条以上error日志",
          "priority": "high",
          "body": "测试服务, 共发现{{payload.hits.total}}条相关日志\n部分日志摘要:\n{{payload.hits.hits.0._source.message}}\n{{payload.hits.hits.1._source.message}}\n{{payload.hits.hits.2._source.message}}"
        }
      },
      "TestServer_error_log-dingding": {
        "throttle_period": "0h5m0s",
        "webhook": {
          "method": "POST",
          "host": "oapi.dingtalk.com",
          "port": 443,
          "proxy": false,
          "path": "/robot/send?access_token=$token",
          "body": "{\n  \"msgtype\": \"text\",\n  \"text\": {\n      \"content\": \"测试服务, 共发现{{payload.hits.total}}条相关日志\\n\n      部分日志摘要:\\n\n      {{payload.hits.hits.0._source.message}}\\n\n      {{payload.hits.hits.1._source.message}}\\n\n      {{payload.hits.hits.2._source.message}}\\n\n      建议使用: source: TestServer.error.log AND message:error AND host:*node* 查询语句在ELK追踪错误\"\n   }\n}\n",
          "create_alert": true,
          "use_https": true,
          "headers": {
            "Content-Type": "application/json"
          },
          "_headers": "{\n  \"Content-Type\": \"application/json\"\n}"
        }
      }
    }
  }
}