参考:http://blog.csdn.net/ptmozhu/article/details/52296958
http://corejava2008.iteye.com/blog/2214279
一.watcher 插件安装
1.在ES_HOME目录下安装License插件:bin/plugin install license2.安装watcher插件bin/plugin install watcher3.重新启动Elasticsearchbin/elasticsearch4.验证是否安装成功curl -XGET 'http://localhost:9200/_watcher/stats?pretty'返回结果如下则表示安装成功{ "watcher_state": "started","watch_count": 0,"execution_thread_pool": { "queue_size": 0,"max_size": 0}}二.watcher插件配置使用(报警错误日志) Watcher支持的Action类型有四种:EMail(邮件),Webhook(第三方对接),Index(索引),Logging(日志记录)配置流程: 1.Schedule the watch and define an input:设置定时器和输入源(错误数据的查询条件) 2.Add a condition:设置触发条件(condition是否查询到了错误数据) 3.Take action:设置触发动作(action发现错误后执行)1.周期搜索日志文件并把结果装载到watcher,使用schedule和input配置。(如下为每隔10秒钟搜索错误日志)curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{ "trigger" : { "schedule" : { "interval" : "10s" } }, "input" : { "search" : { "request" : { "indices" : [ "logs" ], "body" : { "query" : { "match" : { "message": "error" } } } } } }}'2.add a condition 设置触发条件(条件为日志错误条数大于0)curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{ "trigger" : { "schedule" : { "interval" : "10s" } }, "input" : { "search" : { "request" : { "indices" : [ "logs" ], "body" : { "query" : { "match" : { "message": "error" } } } } } }, "condition" : { "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} }}'3.take action 设置触发动作(以下动作为当错误监测到时把信息写入到Elasticsearch日志中)curl -XPUT 'http://localhost:9200/_watcher/watch/log_error_watch' -d '{ "trigger" : { "schedule" : { "interval" : "10s" } }, "input" : { "search" : { "request" : { "indices" : [ "logs" ], "body" : { "query" : { "match" : { "message": "error" } } } } } }, "condition" : { "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }} }, "actions" : { "log_error" : { "logging" : { "text" : "Found { {ctx.payload.hits.total}} errors in the logs" } } }}'4.当该报警条件不用时,应当及时删除wacher api(节约计算资源)curl -XDELETE 'http://localhost:9200/_watcher/watch/log_error_watch'三.监控ElasticSearch集群状态:每10秒检测一次集群状态,如果集群状态错误(red),则发送邮件给运维curl -XPUT 'http://localhost:9200/_watcher/watch/cluster_health_watch' -d '{ "trigger" : { "schedule" : { "interval" : "10s" } }, "input" : { "http" : { "request" : { "host" : "localhost", "port" : 9200, "path" : "/_cluster/health" } } }, "condition" : { "compare" : { "ctx.payload.status" : { "eq" : "red" } } }, "actions" : { "send_email" : { "email" : { "to" : "<username>@<domainname>", "subject" : "Cluster Status Warning", "body" : "Cluster status is RED" } } }}'如果配置邮件发送,需要在ElasticSearch配置文件elasticsearch.yaml中配置以下信息watcher.actions.email.service.account: work: profile: gmail email_defaults: from: <email> smtp: auth: true starttls.enable: true host: smtp.gmail.com port: 587 user: <username> password: <password> 邮件报警(profile)默认支持standard (default), gmail, and outlook。下面我使用163邮箱profile改为standard.端口号使用25,同时必须在163邮箱中配置允许第三方邮箱客户端登陆,使用授权码登陆,而不是邮箱密码watcher.actions.email.service.account: work: profile: standard email_defaults: from: '<yourname>@163.com' smtp: auth: true starttls.enable: true host: smtp.163.com port: 25 user: yourname@163.com password: password