How to use built-in alert monitoring rules for Logtail - Simple Log Service

Simple Log Service provides built-in alert monitoring rules. If you want to monitor Logtail in real time, you can enable the alert instances of the related alert monitoring rules. Then, you can receive alert notifications based on the specified notification method, such as DingTalk. This topic describes how to use built-in alert monitoring rules to monitor Logtail.

Prerequisites

The important log feature is enabled for the project that you want to manage. For more information, see Enable the service log feature.

Background information

After you enable the important log feature for a project, Simple Log Service automatically creates a Logstore named internal-diagnostic_log in the project to store Logtail heartbeat logs. Simple Log Service predefines alert monitoring rules based on Logtail heartbeat logs. You can use the built-in alert monitoring rules to monitor Logtail in real time.

Step 1: Configure an action policy

By default, built-in alert monitoring rules for Logtail are associated with a built-in action policy whose ID is sls.app.logtail.builtin. Before you enable the alert instances of built-in alert monitoring rules for Logtail, you must specify one or more notification methods in the action policy.

Log on to the Simple Log Service console.
In the Projects section, find the project that you want to manage and click the name of the project.
You must select the project for which you enable the important log feature.
In the left-side navigation pane, click the Alerts icon.
On the Alert Center page, choose Notification Policy > Action Policy.
In the action policy list, find the action policy whose ID is sls.app.logtail.builtin and click Edit in the Actions column.
You can also create an action policy to send alert notifications. For more information, see Create an action policy.
In the Edit Action Policy dialog box, change the value of the Request URL parameter to the webhook URL of your DingTalk chatbot. Use the default settings for other parameters. Then, click Confirm.
For more information about how to obtain the webhook URL of a DingTalk chatbot, see DingTalk-Custom. You can use other alert notification methods based on your business requirements. For more information, see Notification methods.

Step 2: Enable an alert instance

Simple Log Service provides built-in alert monitoring rules. You can enable the alert instances of the related alert monitoring rules based on your business requirements.

On the Alert Center page, click Alert Rules/Incidents.
On the Alert Rules/Incidents tab, click SLS Logtail.
In the alert monitoring rule list, find the alert monitoring rule that you want to use and click Enable in the Actions column.
The default values of the parameters in each alert monitoring rule are specified. You can click Enable without the need to configure an alert monitoring rule. If you want to modify the values of the parameters, click Settings. For more information about the parameters, see Alert monitoring rules for Logtail.

Alert monitoring rules for Logtail

Simple Log Service provides the following built-in alert monitoring rules to monitor Logtail:

Logtail Restart
Logtail Data Collection Delay
Logtail Quota Exceed
Logtail Log Parse Error
Logtail Error Count Monitoring By Project
Logtail Error Count Daily Monitoring By Project
Logtail Error Count Monitoring By Logstore
Logtail Error Count Daily Monitoring By Project

Logtail Restart

Item	Description
Purpose	Monitors the restart behavior of Logtail.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If the number of times that a Logtail client restarts exceeds the specified threshold within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Threshold(Critical): If the number of times that a Logtail client restarts is greater than the value of this parameter within the previous 5 minutes, an alert whose severity level is Critical is triggered. Default value: 3. Threshold(High): If the number of times that a Logtail client restarts is greater than the value of this parameter within the previous 5 minutes, an alert whose severity level is High is triggered. Default value: 1. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Data Collection Delay

Item	Description
Purpose	Checks whether a delay occurs when Logtail collects data.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If a delay occurs when Logtail collects data for a Logstore within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Quota Exceed

Item	Description
Purpose	Checks whether the Logtail quota is exceeded.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If Logtail fails to send data to a Logstore within the previous 5 minutes because the quota is exhausted, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Log Parse Error

Item	Description
Purpose	Monitors the exceptions that occur when Logtail parses logs.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If an error occurs when Logtail parses logs for a Logstore within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Error Count Monitoring By Project

Item	Description
Purpose	Monitors the number of Logtail collection errors.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If the number of Logtail collection errors that occur in a project exceeds the specified threshold within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Threshold: If the number of Logtail collection errors that occur in a project is greater than the value of this parameter within the previous 5 minutes, an alert is triggered. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Error Count Daily Monitoring By Project

Item	Description
Purpose	Monitors the daily changes in the number of Logtail collection errors within a specific period of time.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If the daily growth rate of the number of Logtail collection errors that occur in a project exceeds the specified threshold within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Threshold: If the daily growth rate of Logtail collection errors that occur in a project is greater than the value of this parameter within the previous 5 minutes, an alert is triggered. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Error Count Monitoring By Logstore

Item	Description
Purpose	Monitors the number of Logtail collection errors.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If the number of Logtail collection errors that occur in a Logstore exceeds the specified threshold within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Threshold: If the number of Logtail collection errors that occur in a Logstore is greater than the value of this parameter within the previous 5 minutes, an alert is triggered. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.

Logtail Error Count Daily Monitoring By Logstore

Item	Description
Purpose	Monitors the daily changes in the number of Logtail collection errors within a specific period of time.
Detection frequency and detection time range	Obtains incremental data at an interval of 5 minutes.
Trigger condition	If the daily growth rate of the number of Logtail collection errors that occur in a Logstore exceeds the specified threshold within the previous 5 minutes, an alert is triggered.
Parameter settings	Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. The default action policy is sls.app.logtail.builtin. You can modify the built-in action policy or create an action policy based on your business requirements. For more information, see Create an action policy. Severity: the severity level of the alert. Valid values: Critical, High, Medium, Low, and Report. Default value: Medium. Threshold: If the daily growth rate of Logtail collection errors that occur in a Logstore is greater than the value of this parameter within the previous 5 minutes, an alert is triggered. Repeat Interval: the interval at which Simple Log Service sends only one alert notification for repeated alerts. During each interval, Simple Log Service does not send repeated alert notifications for repeated alerts. For example, if you set the Repeat Interval parameter to 1d, 2h, or 3m, Simple Log Service sends only one alert notification within one day, 2 hours, or 3 minutes even if repeated alerts are triggered. SendResolved: If you enable the recovery notification feature and an alert is cleared, Simple Log Service sends a recovery notification in the format of an alert notification. Trigger Count: the number of consecutive check periods in which the specified trigger condition must be met before an alert can be triggered.