Init

Author: sluebbert

.gitignore

@@ -0,0 +1,6 @@
+node_modules/
+test_results/
+dist/
+.nyc_output/
+.tern-project
+*.js

app.ts

@@ -0,0 +1,72 @@
+
+import { readFileSync } from "fs";
+import { RuleRunner } from './lib/ruleRunner'
+import * as yargs from 'yargs';
+import { safeLoad } from "js-yaml";
+import { Configuration } from './lib/configuration';
+import { ConsoleLogger } from "./lib/models/logging/consoleLogger";
+import { setupNumeralExtensions } from "./lib/numeralExtensions";
+
+let argv = yargs
+	.env("EA")
+	.command('test', "Test a rule. Don't schedule it to run, run it right now!")
+	.option('rule', {
+		alias: 'r',
+		description: 'Which rule or directory of rules to run.',
+		type: 'string',
+		required: true
+	})
+	.option('elasticsearchHost', {
+		alias: 'H',
+		description: 'The elasticsearch host to connect to.',
+		type: 'string',
+		required: true
+	})
+	.option('elasticsearchPort', {
+		alias: 'p',
+		description: 'The elasticsearch port to connect to.',
+		type: 'number',
+		default: 9200
+	})
+	.option('dryrun', {
+		alias: 'd',
+		description: 'Whether or not to actually send out alerts.',
+		type: 'boolean'
+	})
+	.option('outputFile', {
+		alias: 'o',
+		description: 'For dryruns, where to send the body of alerts to.',
+		type: 'string'
+	})
+	.option('logLevel', {
+		alias: 'l',
+		description: 'The log level to filter by.',
+		type: 'string',
+		default: 'Info',
+		choices: ['Verbose', 'Info', 'Warning', 'Error']
+	})
+	.config('config', 'Path to a yaml config file.', (configPath: string) =>
+	{
+		return safeLoad(readFileSync(configPath, 'utf-8'));
+	})
+	.help()
+	.alias('help', 'h')
+	.argv;
+
+setupNumeralExtensions();
+
+let config = new Configuration(argv, __dirname);
+let logger = new ConsoleLogger(config.LogLevelFilter);
+let runner = new RuleRunner(logger, config);
+
+if (argv._.includes('test'))
+{
+	runner.runTest(config);
+}
+else
+{
+	runner.run(config);
+}
+
+process.on('SIGINT', async () => { runner.stop(); process.exit(0); });
+process.on('SIGTERM', async () => { runner.stop(); process.exit(0); });

dockerfile

@@ -0,0 +1,24 @@
+FROM node:alpine
+
+ARG npm_package_name
+
+RUN apk add --update git
+
+# Create app directory
+WORKDIR /opt/${npm_package_name}/
+
+# Setup package
+COPY package*.json ./
+
+# Install app dependencies
+RUN apk add --no-cache --virtual .gyp \
+		python \
+		make \
+		g++ \
+	&& npm install --production\
+	&& apk del .gyp
+
+# Bundle app source
+COPY ./dist/ ./dist/
+
+CMD [ "npm", "start" ]

examples/config.yaml

@@ -0,0 +1,9 @@
+elasticsearchHost: elasticsearch.lan
+logLevel: Verbose
+smtp:
+  host: smtp.gmail.com
+  port: 465
+  secure: true
+  user: testUser@gmail.com
+  pass: testpass
+  

examples/rules/highCpuRule.yaml

@@ -0,0 +1,112 @@
+name: High Cpu Utilization Alert
+
+indexPattern: metricbeat-*
+
+request:
+  aggs:
+    hosts:
+      terms:
+        field: agent.hostname
+      aggs:
+        avg_cpu:
+          avg:
+            field: system.cpu.total.norm.pct
+        last_event:
+          top_hits:
+            size: 1
+        avg_cpu_filter:
+          bucket_selector:
+            buckets_path:
+              avgCpu: avg_cpu
+            script: params.avgCpu > 0.9 # Alert when average for a host is > 90%
+  query:
+    bool:
+      filter:
+        - match_all: {}
+        - match_phrase:
+            metricset.name: cpu
+        - match_phrase:
+            event.module: system
+        - range:
+            "@timestamp":
+              format: strict_date_optional_time
+              gte: now-15m
+              lte: now
+
+interval: "*/5 * * * *"
+delay: 60000 # Still run every 5 minutes, but shifted by 1 minute
+
+waitBeforeReAlert:
+  duration:
+    minutes: 14
+
+alertTrigger:
+  type: threshold
+  aggregation: count
+  operator: gt
+  value: 0
+  rowPath: aggregations.hosts.buckets
+
+alert:
+  type: tiered
+
+  restartAfterLast: true  
+
+  tiers:
+    # Tier 1
+    - type: email
+
+      to:
+        - user@gmail.com
+      from: auto@domain.com
+
+      title: 'High Cpu Utilization Alert Tier 1'
+
+      summary: 'The following servers have an average cpu utilization above 90% in the last 15 minutes.'
+
+      links:
+        - link: http://elasticsearch.lan:5601/app/infra#/infrastructure
+          text: Jump to Kibana
+
+      tables:
+        - summary: 'Results:'
+          rowPath: aggregations.hosts.buckets
+          columns:
+            - name: Host
+              valuePath: key
+            - name: Total Percent Utilized
+              valuePath: avg_cpu.value
+              type: number
+              format: 0.00%
+            - name: Cpu Count
+              valuePath: last_event.hits.hits[0]._source.system.cpu.cores
+              type: number
+
+    # Tier 2
+    - type: email
+
+      to:
+        - group@gmail.com
+      from: auto@domain.com
+
+      title: 'High Cpu Utilization Alert Tier 2'
+
+      summary: 'The following servers have an average cpu utilization above 90% in the last 30 minutes.'
+
+      links:
+        - link: http://elasticsearch.lan:5601/app/infra#/infrastructure
+          text: Jump to Kibana
+
+      tables:
+        - summary: 'Results:'
+          rowPath: aggregations.hosts.buckets
+          columns:
+            - name: Host
+              valuePath: key
+            - name: Total Percent Utilized
+              valuePath: avg_cpu.value
+              type: number
+              format: 0.00%
+            - name: Cpu Count
+              valuePath: last_event.hits.hits[0]._source.system.cpu.cores
+              type: number

examples/rules/highMemoryRule.yaml

@@ -0,0 +1,81 @@
+name: High Memory Usage Alert
+
+indexPattern: metricbeat-*
+
+request:
+  aggs:
+    hosts:
+      terms:
+        field: agent.hostname
+      aggs:
+        avg_memory:
+          avg:
+            field: system.memory.actual.used.pct
+        last_event:
+          top_hits:
+            size: 1
+        avg_memory_filter:
+          bucket_selector:
+            buckets_path:
+              avgMemory: avg_memory
+            script: params.avgMemory > 0.85 # Alert when average for a host is > 85%
+  query:
+    bool:
+      filter:
+        - match_all: {}
+        - match_phrase:
+            metricset.name: memory
+        - match_phrase:
+            event.module: system
+        - range:
+            "@timestamp":
+              format: strict_date_optional_time
+              gte: now-15m
+              lte: now
+
+interval: "*/5 * * * *"
+
+waitBeforeReAlert:
+  duration:
+    minutes: 14
+
+alertTrigger:
+  type: threshold
+  aggregation: count
+  operator: gt
+  value: 0
+  rowPath: aggregations.hosts.buckets
+
+alert:
+  type: email
+
+  to:
+    - user@gmail.com
+  from: auto@domain.com
+
+  title: 'High Memory Usage Alert'
+
+  summary: 'The following servers have an average memory usage above 85% in the last 15 minutes.'
+
+  links:
+    - link: http://elasticsearch.lan:5601/app/infra#/infrastructure
+      text: Jump to Kibana
+
+  tables:
+    - summary: 'Results:'
+      rowPath: aggregations.hosts.buckets
+      columns:
+        - name: Host
+          valuePath: key
+        - name: Total Percent in Use
+          valuePath: avg_memory.value
+          type: number
+          format: 0.00%
+        - name: Bytes in Use
+          valuePath: last_event.hits.hits[0]._source.system.memory.actual.used.bytes
+          type: number
+          format: 0.00 b
+        - name: Total Bytes
+          valuePath: last_event.hits.hits[0]._source.system.memory.total
+          type: number
+          format: 0.00 b