因此,每次有人从服务器下载文件时,我都会定期填充一个ELK堆栈。在我的用例中,我有一个客户端列表,每个客户端都应该每小时精确下载一次。
我想提醒的是,给定客户端的相同文件名出现两次时,这意味着在t0时刻出了点问题,并且客户端在t0 + 1h重试了相同的下载。
这是我的规则YAML文件:
index: myindex-*
name: Checks that clients never download the same file twice
type: cardinality
# Contains the name of the downloaded file, which is always unique
cardinality_field: "Object.name"
# For debugging it's easier to alert on the legit cases
# The real-life condition would rather be "max_cardinality: 1"
min_cardinality: 100
timeframe:
minutes: 1
# Downloader's IP address, so that the rule is applied for each client separayely
query_key: "Context.headers.X-Forwarded-For"
alert:
- "command"
command: ["echo", "{index_type}", "{@timestamp}", "{Actor[customerName]}", "{Context[headers[X-Forwarded-For]]}", "{Object[name]}"]
“命令”仅用于调试,随着时间的推移它将变得更加复杂。同时,我得到以下回声:
<MISSING VALUE> 2018-08-24T13:52:52.923Z {Actor[customerName]} {Context[headers[X-Forwarded-For]]} {Object[name]}
任何想法为何某些字段要么不被识别为变量,要么似乎为“ null”或类似的东西?我确实在Kibana中看到与此处回显的时间戳相对应的日志,并正确设置了Object.name等。
这是我的YAML配置文件:
rules_folder: example_rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 172.28.0.62
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
days: 2
最后是我用来运行Elasticsearch的命令:
elastalert --rule example_rules/test.yml --conf elastalert_config.yml