1、docker安装elk
镜像:sebp/elk
挂出的端口:5044,5601,9200,9300
2、进入容器,安装sentinl插件
进入kibana安装目录:/etc/kibana/bin ,执行:
./kibana-plugin install https://github.com/sirensolutions/sentinl/releases/download/tag-6.2.3-3/sentinl-v6.2.4.zip
安装完成后重启elk容器
3、获取钉钉报警机器人的webhook链接
在sentinl里面加一个watcher:
Input填入:
{ "search": { "request": { "index": [ "*" ], "body": { "query": { "bool": { "must": [ { "query_string": { "analyze_wildcard": true, "query": "\"error\"" } }, { "range": { "@timestamp": { "gte": "now-10m", "lte": "now", "format": "epoch_millis" } } } ], "must_not": [] } } } } } }condition填入:{ "script": { "script": "payload.hits.total > 1" } }添加一个webhook的action:
以上所有配置根据自己需要修改,附上钉钉的demo地址:
https://open-doc.dingtalk.com/docs/doc.htm?spm=a219a.7629140.0.0.karFPe&treeId=257&articleId=105735&docType=1#s0
成功报警。