求elk开源的告警方案

有用elastalert在es5.0上实现告警功能的大神吗，参考了https://github.com/suqld/elast ... t_es5
一直没调试成功
--------------------------------------------------
gw-test-100:/etc/scripts# more /etc/elastalert/rzpt_rules/pub-nginx-monitor.yaml 
es_host: 10.1.53.76
es_port: 9200
name: pub-nginx-monitor 
index: logstash-pub-nginx-monitor-*
type: any 

filter:
- term:
  http_status: 200 


alert:
- "email"
email:
- "jacky@sohu.com"

smtp_host: mail.sohu.com
smtp_port: 25 
smtp_auth_file: /etc/elastalert/smtp_auth_file.yaml
from_add: rzpt_alert@sohu.com
---------------------------------------------------------
elastalert-test-rule /etc/elastalert/rzpt_rules/pub-nginx-monitor.yaml 
gw-test-100:/etc/scripts# sh test.sh 
Successfully loaded pub-nginx-monitor

WARNING:elasticsearch:GET http://10.1.53.76:9200/logstash-pub-nginx-monitor-*/_search?ignore_unavailable=true&size=1 [status:400 request:0.007s]
Error running your filter:
RequestError(400, u'parsing_exception', {u'status': 400, u'error': {u'line': 1, u'root_cause': [{u'reason': u'no [query] registered for [filtered]', u'type': u'parsing_exception', u'line': 1, u'col': 68}], u'type': u'parsing_exception', u'reason': u'no [query] registered for [filtered]', u'col': 68}})
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them, use --verbose.
WARNING:elasticsearch:GET http://10.1.53.76:9200/logstash-pub-nginx-monitor-*/_search?_source_include=%40timestamp%2C%2A&ignore_unavailable=true&scroll=30s&size=10000 [status:400 request:0.003s]
ERROR:root:Error running query: TransportError(400, u'parsing_exception', u'no [query] registered for [filtered]')
----------------------------------------------------
 https://www.elastic.co/guide/e ... .html