You can use CloudMonitor to configure monitoring and alerting for website services. This topic describes the site metrics, attack event types, and Web Application Firewall (WAF) service metrics that are supported by CloudMonitor.

Background information

WAF integrates CloudMonitor. CloudMonitor allows you to configure monitoring and alerting for site metrics, attack events that occurred on domain names that are added to WAF, and WAF service metrics for the domain names.

CloudMonitor is a service that monitors Internet applications and Alibaba Cloud resources. CloudMonitor sends you notifications when alerts are triggered. You can configure alert rules. CloudMonitor sends alert notifications to specific contacts by using email or by using the alert callback feature when CloudMonitor detects system events. This way, you can be notified of critical events in real time after they are generated and can handle the events in an automated online O&M process.

Site metrics supported

CloudMonitor can simulate the detection requests of real users, monitor access to your service sites from all cities and provinces in China, and detect exceptions in real time.

The following table lists the metrics that site monitoring supports. We recommend that you configure all supported metrics when you use the site monitoring feature.
Metric Level Description Configuration method
Elastic Compute Service (ECS) performance monitoring Major Monitor the CPU utilization, memory usage, disk space usage, and bandwidth usage of ECS instances. Configure alerts for an ECS instance
Server Load Balancer (SLB) performance monitoring Major Monitor the number of connections, bandwidth usage, and packets per second (PPS) of SLB instances. Configure alert rules for SLB instances
Object Storage Service (OSS) sandbox status monitoring Major Monitor the OSS sandbox to view the status of the OSS service. Overview
HTTP/HTTPS Major Send HTTP or HTTPS requests to a specific URL or IP address to monitor the URL or IP address.

Site monitoring is provided by CloudMonitor. The site monitoring feature does not involve WAF-related operations. You need only to log on to the CloudMonitor console by using your Alibaba Cloud account and perform the following operations:

PING Major Run Internet Control Message Protocol (ICMP) ping command for a specific URL or IP address to monitor the URL or IP address.
TCP Major Send Transmission Control Protocol (TCP) requests to a specific port to monitor the port.
UDP Optional Sends User Datagram Protocol (UDP) requests to a specific port to monitor the port.
DNS Optional Send domain name system (DNS) requests to a specific domain to monitor the domain name.
POP3 Optional Send Post Office Protocol version 3 (POP3) requests to a specific URL or IP address to monitor the URL or IP address.
SMTP Optional Send Simple Mail Transfer Protocol (SMTP) requests to a specific URL or IP address to monitor the URL or IP address.
FTP Optional Send File Transfer Protocol (FTP) requests to a specific URL or IP address to monitor the URL or IP address.

Attack events supported

CloudMonitor allows you to configure monitoring and alerting for web attacks, HTTP flood attacks, scan attacks, and unauthorized access control events on domain names that are added to WAF. You can select a notification method by which you want to receive alerts based on the severity level of events. The notification method includes text messages, emails, DingTalk, or the alert callback feature. For more information about how to configure monitoring and alerting for attack events, see Configure monitoring and alerting for attack events.
Notice Event monitoring takes effect only for domain names that are added to WAF. Before you can configure alert rules for a domain name, make sure that the domain name is added to WAF. For more information about how to add a domain name, see Add a website.

The following table lists the supported attack events.

Event name Description Type Status value Event level
waf_event_aclattack An access control event occurred. acl start and end CRITICAL
waf_event_ccattack An HTTP flood attack occurred. cc start and end CRITICAL
waf_event_webattack A web attack occurred. web start and end CRITICAL
waf_event_webscan A web scan attack occurred. webscan start and end CRITICAL

WAF service metrics supported

CloudMonitor allows you to configure monitoring and alerting for WAF service metrics on domain names that are added to WAF. You can specify the method to identify exceptions on the service metrics and select a notification method by which you want to receive alerts, such as by using text messages, emails, DingTalk, or the alert callback feature. For more information about how to configure monitoring and alerting for the service metrics, see Configure monitoring and alerting for metrics.
Notice Service metric monitoring takes effect only for domain names that are added to WAF. Before you can configure alert rules for a domain name, make sure that the domain name is added to WAF. For more information about how to add a domain name, see Add a website.

The following table lists the supported service metrics.

Metric Dimension Unit Description Remarks
4XX_ratio Domain name % The percentage of the HTTP 4xx status codes per minute (405 excluded). The value is displayed as a decimal number.
5XX_ratio Domain name % The percentage of the HTTP 5xx status codes per minute. The value is displayed as a decimal number.
acl_blocks_5m Domain name Pieces (PCS) The number of requests blocked by access control within the last five minutes. None.
acl_rate_5m Domain name % The percentage of requests blocked by access control within the last five minutes. The value is displayed as a decimal number.
cc_blocks_5m Domain name PCS The number of requests blocked by HTTP flood protection within the last five minutes. None.
cc_rate_5m Domain name % The percentage of requests blocked by HTTP flood protection within the last five minutes. The value is displayed as a decimal number.
waf_blocks_5m Domain name PCS The number of requests blocked by web intrusion prevention within the last five minutes. None.
waf_rate_5m Domain name % The percentage of requests blocked by web attack protection within the last five minutes. The value is displayed as a decimal number.
QPS Domain name The queries per second. None.
qps_ratio Domain name % The minute-on-minute growth rate of QPS. The value is displayed in percentage.
qps_ratio_down Domain name % The minute-on-minute decrease rate of QPS. The value is displayed in percentage.