This topic describes the alert rules for the flow security of Server Load Balancer (SLB). You can configure and enable alert rules in the Simple Log Service console. This allows you to monitor the security of SLB instances. If an alert is triggered, you can identify the cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters, configure whitelists, and perform other related operations, see Configure alerts.
Inspection of SLB Abnormal Response Length
ID | sls_app_audit_dataflow_at_slb_resp_detc |
Name | Inspection of SLB Abnormal Response Length |
Version | 1 |
Type | Cloud Platform, Alicloud, Flow Security, SLB Flow Security |
Usage | Detects whether the length of SLB response is abnormal. If the number of SLB responses that have an abnormal length is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 4 hours. |
Time Range | The data of the last 4 hours is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on the SLB instances that have an abnormal length in a large number of responses. |
Prerequisites | The Lay-7 Access switch next to SLB is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Inspection of SLB Abnormal Request Length
ID | sls_app_audit_dataflow_at_slb_req_detc |
Name | Inspection of SLB Abnormal Request Length |
Version | 1 |
Type | Cloud Platform, Alicloud, Flow Security, SLB Flow Security |
Usage | Detects whether the length of SLB request is abnormal. If the number of SLB requests that have abnormal length is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 4 hours. |
Time Range | The data of the last 4 hours is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on the SLB instances that have an abnormal length in a large number of requests. |
Prerequisites | The Lay-7 Access switch next to SLB is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
SLB Average Response Delay Too High-8 Alert
ID | sls_app_audit_dataflow_at_slb_latency |
Name | SLB Average Response Delay Too High-8 Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Flow Security, SLB Flow Security |
Usage | Checks whether the average response delay of Server Load Balancer (SLB) instances is too high. If the average response time of SLB instances is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on SLB instances whose average response delay is too high. |
Prerequisites | The Lay-7 Access switch next to SLB is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
SLB HTTP Access Protocol Enabled Alert
ID | sls_app_audit_dataflow_at_slb_http |
Name | SLB HTTP Access Protocol Enabled Alert |
Version | 1 |
Type | Cloud Platform, Alicloud, Flow Security, SLB Flow Security |
Usage | Detects whether the Server Load Balancer (SLB) accesses the server through HTTPS protocol. When the SLB accesses the server through HTTP protocol, an alert will be triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Severity: Critical-10, High-8, Medium-6, Low-4, and Report-2. Default value: High-8 |
External Configurations | You can configure a whitelist of SLB instances for which HTTP protocol is enabled. If HTTP protocol is enabled for SLB instances on the whitelist, no alert is be triggered. |
Solution | Disable HTTP protocol for the SLB instances that are not included in the whitelist. |
Prerequisites | The Operations Log switch next to ActionTrail is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Load Balance Access UV Anomaly Inspection
ID | sls_app_audit_dataflow_at_slb_uv_detc |
Name | Load Balance Access UV Anomaly Inspection |
Version | 1 |
Type | Cloud Platform, Alicloud, Flow Security, SLB Flow Security |
Usage | Detects the anomaly of Unique Visitors (UVs) of Server Load Balancers (SLB). If the number of UVs of abnormal access to SLB instances is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 4 hours. |
Time Range | The data of the last 4 hours is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on the SLB instances whose UVs of abnormal access are in a large number. |
Prerequisites | The Lay-7 Access switch next to SLB is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |
Load Balance Access PV Anomaly Inspection
ID | sls_app_audit_dataflow_at_slb_pv_detc |
Alert Name | Load Balance Access PV Anomaly Inspection |
Version | 1 |
Type | Cloud Platform, Alicloud, Flow Security, SLB Flow Security |
Usage | Detects excessive number of page views (PVs) of Server Load Balancer (SLB) instances. If the number of PVs of abnormal access to SLB instances is greater than or equal to the value of the Threshold parameter, an alert is triggered. |
Check Frequency | Fixed interval: 4 hours. |
TimeRange | The data of the last 4 hours is checked. |
Parameter Settings |
|
External Configurations | None |
Solution | Check whether exceptions have occurred on the SLB instances whose PVs of abnormal access are in a large number. |
Prerequisites | The Lay-7 Access switch next to SLB is turned on. To turn on the switch, go to the Log Audit Service page, and then choose . |