X-Pack Watcher monitors your Alibaba Cloud Elasticsearch cluster and triggers automated actions when specific conditions are met. A common use case: when an error log appears in the logs index, the cluster automatically sends a DingTalk message to alert your team.
This topic describes how to route X-Pack Watcher alerts to a DingTalk chatbot using an NGINX proxy.
Prerequisites
Before you begin, ensure that you have:
-
An Alibaba Cloud Elasticsearch instance. For more information, see Create an Alibaba Cloud Elasticsearch instance.
ImportantX-Pack Watcher supports only single-zone Elasticsearch instances that use the old network architecture. Multi-zone instances are not supported. For the new network architecture, configure a PrivateLink connection to bypass network restrictions before proceeding. For more information, see Configure a PrivateLink connection for an instance. For details about network architectures, see \[Notice\] Network architecture adjustment.
-
X-Pack Watcher enabled for your Elasticsearch instance. For more information, see Configure YML parameters.
-
An Elastic Compute Service (ECS) instance in your virtual private cloud (VPC). For more information, see Create an instance using custom settings.
NoteX-Pack Watcher cannot access the internet directly. It communicates using the private endpoint of your Elasticsearch instance within the VPC. To forward alerts to DingTalk, associate an elastic IP address (EIP) with your ECS instance or configure source network address translation (SNAT) on it. For more information, see Associate an EIP or Configure SNAT.
Step 1: Create and configure a DingTalk chatbot
-
Create a DingTalk group to receive alerts.
-
In the upper-right corner of the group, click the
icon. On the Group Settings panel, click Bot. -
In the Robot Management dialog box, click Add a robot, select Custom, and then click Add.
-
Enter a Robot Name, select Custom Keywords, and specify the keywords.
ImportantThe keywords you specify must appear in the alert message body. You configure the alert message in Step 3.
-
Select "Custom robot services and disclaimers" and click Finished.
-
Click Copy next to Webhook to copy the chatbot's webhook URL. Keep this webhook URL secure. Do not share it on external websites, as leaking it poses a security risk.
Step 2: Configure an NGINX proxy and ECS security group
X-Pack Watcher cannot call DingTalk's webhook directly over the internet. NGINX on your ECS instance acts as a forwarding proxy: Watcher sends alerts to NGINX, which forwards them to DingTalk or WeCom.
Configure the NGINX proxy
-
Install NGINX on the ECS instance.
-
Update the
nginx.conffile. Replace theserversection with the following configuration. Before saving, replace<Webhook URL>with the DingTalk chatbot webhook URL you copied in Step 1.server { listen 8080; # Listener port server_name localhost; # Domain name index index.html index.htm index.php; root /usr/local/webserver/nginx/html; # Site folder location ~ .*\.(php|php5)?$ { #fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$ { expires 30d; # access_log off; } location / { proxy_pass <Webhook URL>; } location ~ .*\.(js|css)?$ { expires 15d; # access_log off; } access_log off; } -
Reload the configuration and restart NGINX.
/usr/local/webserver/nginx/sbin/nginx -s reload # Reload the configuration file /usr/local/webserver/nginx/sbin/nginx -s reopen # Restart NGINX
Configure the ECS security group
Add an inbound rule to allow Elasticsearch instance nodes to send traffic to the NGINX proxy.
-
Log on to the Alibaba Cloud ECS console.Alibaba Cloud ECS console
-
In the left-side navigation pane, choose Instances & Images > Instances.
-
Click the name of your ECS instance.
-
Click the Security Groups tab, then click the name of the security group.
-
On the Inbound tab, click Add Rule and set the following parameters.
Parameter Description Action Select Allow. Priority Keep the default value. Protocol Select Custom TCP. Source Enter the IP addresses of all nodes in your Elasticsearch instance. See View basic information about nodes to get these IP addresses. Destination (Current Instance) Enter a commonly used port. This topic uses port 8080 as an example. Description Enter a description for the rule. -
Click OK.
Step 3: Configure a Watcher alert
How a watch works
A watch consists of four components that define when to check, what to look for, when to act, and what to do:
-
Trigger: defines when the watch runs. Each watch must have a trigger.
-
Input: specifies the query to run against the monitored index when the watch is triggered.
-
Condition: defines the condition that must be met for the actions to run.
-
Actions: defines what happens when the condition is met — for example, sending a webhook request to your DingTalk chatbot.
Create a watch
-
Log on to the Kibana console of your Elasticsearch cluster. For more information, see Log on to the Kibana console.
NoteThe following example uses an Elasticsearch V6.7.0 cluster. Steps may differ for other versions. Refer to the actual Kibana console for your version.
-
In the left-side navigation pane, click Dev Tools.
-
In the Console, run the following command to create a watch named
log_error_watch. This watch queries thelogsindex every 10 seconds. If more than 0 error logs are found, it sends an alert message to your DingTalk chatbot via the NGINX proxy. Before running the command, replace<yourAddress>in theurlfield with the address for your network architecture. See the parameter table below for details.NoteIf you see
No handler found for uri [/_xpack/watcher/watch/log_error_watch_2] and method [PUT], X-Pack Watcher is not enabled on your instance. Enable it and run the command again. For more information, see Configure YML parameters.`url` parameter by network architecture
Network architecture Value New network architecture The endpoint domain name from your PrivateLink configuration. Requests are forwarded through this endpoint. To get the endpoint domain name, see Configure private network peering for Alibaba Cloud Elasticsearch. Old network architecture The IP address of the NGINX proxy on your ECS instance (requests are forwarded to DingTalk over the internet by the NGINX proxy in the same VPC), or the DingTalk chatbot webhook URL directly. PUT _xpack/watcher/watch/log_error_watch { "trigger": { "schedule": { "interval": "10s" } }, "input": { "search": { "request": { "indices": ["logs"], "body": { "query": { "match": { "message": "error" } } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gt": 0 } } }, "actions" : { "test_issue" : { "webhook" : { "method" : "POST", "url" : "http://<yourAddress>:8080", "body" : "{\"msgtype\": \"text\", \"text\": { \"content\": \"An error log has appeared. Please handle it as soon as possible.\"}}" } } } }`body` parameter Configure the DingTalk message payload based on your chatbot's security settings. If you configured Custom Keywords in Step 1 with the keyword
error, thecontentfield must includeerrorfor the chatbot to push the alert.
Step 4: Verify the alert
When your cluster data meets the alert conditions configured in Step 3, you receive a message like An error log has appeared. Please handle it as soon as possible. in your DingTalk group.
To delete the watch when you no longer need it, run the following command:
DELETE _xpack/watcher/watch/log_error_watch