ElastAlert Metadata Index
ElastAlert 元数据索引
ElastAlert uses Elasticsearch to store various information about its state. This not only allows for some level of auditing and debugging of ElastAlert’s operation, but also to avoid loss of data or duplication of alerts when ElastAlert is shut down, restarted, or crashes. This cluster and index information is defined in the global config file withes_host,es_portandwriteback_index. ElastAlert must be able to write to this index. The script,elastalert-create-indexwill create the index with the correct mapping for you, and optionally copy the documents from an existing ElastAlert writeback index. Run it and it will prompt you for the cluster information.
ElastAlert 使用 Elasticsearch 存储关于其状态的各种信息.这不仅仅支持对ElastAlert的各种操作进行审计和调试,而且可以避免在ElastAerlt关闭/重启或者崩溃时丢失数据或者重复警报.全局配置文件(config.yaml)中的es_host,es_port和writeback_index定义存储节点以及索引.ElastAlert必须能够写入此索引.命令elastalert-create-index将会帮你创建具有正确映射的索引,并且可选的从ElastAlert的回写索引中复制文档.运行时它会提醒你关于节点的相关信息.
ElastAlert will create three different types of documents in the writeback index:
ElastAlert 将会在回写索引中创建三个不同类型的文档.
elastalert_status
elastalert_statusis a log of the queries performed for a given rule and contains:
elastalert_status是对给定规则执行的查询的日志,它包含:
@timestamp: The time when the document was uploaded to Elasticsearch. This is after a query has been run and the results have been processed. : 文档上传到 Elasticsearch 的时间.它是在运行查询并且已经处理结果之后。rule_name: The name of the corresponding rule. : 相应规则的名称.starttime: The beginning of the timestamp range the query searched. : 执行查询的时间戳范围的开始时间点.endtime: The end of the timestamp range the query searched. : 执行查询的时间戳范围的结束时间点.hits: The number of results from the query. : 查询结果的数量.matches: The number of matches that the rule returned after processing the hits. Note that this does not necessarily mean that alerts were triggered. : 规则返回的,与经过处理的hits匹配的数量.注意,这并非意味着警报一定是触发了的.time_taken: The number of seconds it took for this query to run. : 此查询运行所需的秒数.
elastalert_statusis what ElastAlert will use to determine what time range to query when it first starts to avoid duplicating queries. For each rule, it will start querying from the most recent endtime. If ElastAlert is running in debug mode, it will still attempt to base its start time by looking for the most recent search performed, but it will not write the results of any query back to Elasticsearch.
elastalert_status 是 ElastAlert 在首次启动时用来确定时间范围以避免重复查询,针对每一个规则,它将根据频率最高的endtime启动查询.如果 ElastAlert 在调试模式下运行,它仍然试图以频率最高的查询的开始时间为基础运行,但它并不会将任何查询的结果回写到 Elasticsearch 当中.
elastalert
elastalertis a log of information about every alert triggered and contains:
elastalert 是所有处罚警报的信息日志,它包含如下内容:
@timestamp: The time when the document was uploaded to Elasticsearch. This is not the same as when the alert was sent, but rather when the rule outputs a match. : 文档上传到 Elastsearch 的时间.这与警报发送的时间不同,而是规则输出匹配的时间.rule_name: The name of the corresponding rule. : 相应的规则名称.alert_info: This contains the output of Alert.get_info, a function that alerts implement to give some relevant context to the alert type. This may contain alert_info.type, alert_info.recipient, or any number of other sub fields.该值包含 Alert.get_info 的输出内容,一个警报用来实现提供上下文信息给到警报类型的函数.其中可能包含 alert_info.type,alert_info.recipient,或者任意数量的其他的子字段.
alert_sent: A boolean value as to whether this alert was actually sent or not. It may be false in the case of an exception or if it is part of an aggregated alert. : 一个布尔值确定警报是否发送成功.在异常的情况下(exception)或者警报是聚合警报的一部分时存在失败的可能性.alert_time: The time that the alert was or will be sent. Usually, this is the same as @timestamp, but may be some time in the future, indicating when an aggregated alert will be sent. : 警报将或者已经发送的时间.通常情况下,该值与 @timestamp 相同,但是有可能会是未来的某个时间,这说明一个汇总的警报将会被发送.match_body: This is the contents of the match dictionary that is used to create the alert. The subfields may include a number of things containing information about the alert. : 该内容是匹配的字典数据,它将用来创建警报.子区域当中可能包含一些有关警报信息的内容.alert_exception: This field is only present when the alert failed because of an exception occurring, and will contain the exception information. : 该字段仅仅在警报因为发生了一些异常而失败才会触发,而且它将包含异常信息.aggregate_id: This field is only present when the rule is configured to use aggregation. The first alert of the aggregation period will contain an alert_time set to the aggregation time into the future, and subsequent alerts will contain the document ID of the first. When the alert_time is reached, all alerts with that aggregate_id will be sent together. : 该字段仅在规则中配置了使用聚合(aggregation)时才会触发.汇总期间第一个警报将包含 alert/_time ,它将把聚合设置到未来的某个时间点,发送的警报将包含第一个文档的 ID.当满足alert_time时,所有的警报以及aggregate_id将一同发送.
elastalert_error
When an error occurs in ElastAlert, it is written to both Elasticsearch and to stderr. Theelastalert_errortype contains:
当 ElastAlert 发生错误时,它将同时将其写入 Elastsearch 以及标准错误(stderr:Linux的标准错误,相应的stdin为标准输入,stdout为标准输出.),elastalert_error类型包含以下几个字段:
@timestamp: 错误发生的时间点.message: 错误或异常消息.traceback: 当错误发生时的追溯.data: 关于错误的额外信息。这通常包含导致错误的规则的名称。
silence
silenceis a record of when alerts for a given rule will be suppressed, either because of arealertsetting or from using –silence. When an alert withrealertis triggered, asilencerecord will be written withuntilset to the alert time plusrealert.
silence 是给出的警报被抑制住的记录,有可能因为配置了realert或者使用了 -silence后缀.当警报的realert被触发,silence记录将会写入until设置为警报时间加realert.
@timestamp: The time when the document was uploaded to Elasticsearch. : 文档上传到 Elasticsearch 的时间.rule_name: The name of the corresponding rule. : 相应的规则名称.until: The timestamp when alerts will begin being sent again. : 警报将再次开始发送的时间戳.exponent: The exponential factor which multipliesrealert.The length of this silence is equal torealert* 2**exponent. This will be 0 unlessexponential_realertis set. : 指数因子乘以realert.该silence的长度等于realert* 2**exponent. 在没有设置exponential_realert的情况下,该值将为0.
Whenever an alert is triggered, ElastAlert will check for a matchingsilencedocument, and if theuntiltimestamp is in the future, it will ignore the alert completely. See the Running ElastAlert section for information on how to silence an alert.
每当触发警报时,ElastAlert 将检查匹配的silence文档,如果until时间戳在将来,它会完全忽略警报.查看Running ElastAlert章节了解如何沉默(silence)一个警报.