在Debian上配置Filebeat报警规则需结合Elasticsearch的Watcher或第三方工具(如ElastAlert),以下是具体步骤:
安装Filebeat
sudo apt-get update && sudo apt-get install filebeat
编辑配置文件 /etc/filebeat/filebeat.yml,指定日志路径和Elasticsearch输出:
filebeat.inputs:
- type: log
paths: ["/var/log/*.log"]
output.elasticsearch:
hosts: ["localhost:9200"]
启动服务:
sudo systemctl start filebeat && sudo systemctl enable filebeat
启用Elasticsearch Watcher(可选)
若使用Watcher,需在Elasticsearch配置文件 /etc/elasticsearch/elasticsearch.yml 中启用:
xpack.watcher.enabled: true
重启Elasticsearch:
sudo systemctl restart elasticsearch
创建Watcher规则
使用Kibana Dev Tools或HTTP API创建规则,例如监控filebeat-*索引中包含ERROR的日志:
PUT _watcher/watch/filebeat_error_alert
{
"trigger": {
"schedule": { "interval": "1m" }
},
"input": {
"search": {
"request": {
"indices": ["filebeat-*"],
"body": {
"query": {
"match": { "message": "ERROR" }
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": { "gt": 0 }
}
},
"actions": {
"send_email": {
"email": {
"to": "admin@example.com",
"subject": "Filebeat Error Alert",
"body": "Detected ERROR logs in Filebeat."
}
}
}
}
通过Kibana Dev Tools执行上述命令,或保存为JSON文件通过API上传。
测试规则
手动触发日志事件,检查是否收到报警邮件。
安装ElastAlert
pip install elastalert
创建配置文件 /etc/elastalert/config.yaml:
es_host: localhost
es_port: 9200
rule_folder: /etc/elastalert/rules
run_every:
minutes: 1
创建报警规则
在/etc/elastalert/rules/目录下新建文件error_rule.yaml:
type: frequency
index: filebeat-*
num_events: 1
timeframe:
minutes: 1
filter:
- term:
message: "ERROR"
alert:
- email
email:
- "admin@example.com"
启动ElastAlert:
elastalert --config /etc/elastalert/config.yaml
参考来源:
