Configure the anomaly detection feature - Simple Log Service

0.0.201

CloudLens for OSS provides built-in alert monitoring rules. You can use the rules to enable the anomaly detection feature for frequently used buckets in an efficient manner. This way, you can identify and analyze inappropriate behavior at the earliest opportunity when you use CloudLens for OSS. This topic describes how to configure the anomaly detection feature.

Configure an alert

Log on to the Log Service console.
In the Log Application section, click the Cloud Service Lens tab. Then, click CloudLens for OSS.
In the left-side navigation pane, choose Anomaly Detection > Alert Management.
In the bucket list, find the required bucket and click Create Alert Rule in the Actions column.
In the Create Alert Rule dialog box, configure the parameters.
1. Select the required alert monitoring rule.
  CloudLens for OSS provides built-in alert monitoring rules. For more information, see Descriptions of alert monitoring rules.
2. Configure parameters such as alert thresholds and an action policy.
  CloudLens for OSS provides built-in action policies. If you select a built-in action policy, Simple Log Service sends alert notifications to the OSS insight-related, built-in user group by email. Before you can use a built-in action policy, you must create users and add the users to the OSS insight-related, built-in user group. For more information, see Create users and user groups.
3. Click OK.

After the alert is enabled, you can click Alert Management in the Actions column to edit, disable, or delete the alert.

View the alert dashboard

The alert dashboard displays the details of triggered alerts and the status of alerts.

Log on to the Log Service console.
In the Log Application section, click the Cloud Service Lens tab. Then, click CloudLens for OSS.
In the left-side navigation pane, choose Anomaly Detection > Alert Status.
View alert information.
You can filter alerts by bucket region or bucket name.

Descriptions of alert monitoring rules

Alert monitoring rule that is used to monitor the sharp increase of requests with a status code of 403, 404, 408, 499, or 4xx

Item	Description

Item	Description
Function	Monitors the sharp increase of requests whose status code is 403, 404, 408, 499, or 4xx.
Check frequency and check time range	Checks data within the last 1 minute at 1-minute intervals.
Trigger conditions	An alert is triggered when the number of the requests whose status code is 403, 404, 408, 499, or 4xx exceeds a specified threshold within the last 1 minute and the ratio of the requests within the current minute to the requests within the previous minute exceeds a specified threshold.
Parameter configurations	Number Threshold: An alert may be triggered when the number of requests to a bucket whose status code is 403, 404, 408, 499, or 4xx within 1 minute exceeds the value of this parameter. Growth Rate Threshold: An alert may be triggered when the ratio of the requests to a bucket within 1 minute to the requests within the previous minute exceeds the value of this parameter. Bucket Name: The name of the bucket that you want to monitor. Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. Default value: sls.app.oss.builtin. You can modify the built-in action policy or create an action policy. For more information, see Create an action policy. Severity: the severity of an alert. Repeat Interval: the period during which notifications for repeated alerts are not sent. During this period, Simple Log Service does not notify you of repeated alerts. Examples: 1d, 2h, and 3m. The value 1d indicates 1 day, the value 2h indicates 2 hours, and the value 3m indicates 3 minutes. Recovery Notification: If you enable the recovery notification feature, Simple Log Service sends a recovery notification when a monitored object recovers. Threshold of Continuous Triggers: the number of consecutive times that a specified trigger condition must be met before an alert is triggered.

Alert monitoring rule that is used to monitor the sharp increase of download and upload traffic over the Internet

Item	Description

Item	Description
Function	Monitors the sharp increase of download and upload traffic over the Internet.
Check frequency and check time range	Checks data within the last 1 minute at 1-minute intervals.
Trigger conditions	An alert is triggered when the download or upload traffic exceeds a specified threshold and the ratio of the traffic within the current minute to the traffic within the previous minute exceeds a specified threshold.
Parameter configurations	Download Threshold or Upload Threshold: An alert may be triggered when the download or upload traffic exceeds the value of this parameter. Growth Rate Threshold: An alert may be triggered when the ratio of the download traffic or upload traffic within 1 minute to the traffic within the previous minute exceeds a specified threshold. Bucket Name: The name of the bucket that you want to monitor. Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. Default value: sls.app.oss.builtin. You can modify the built-in action policy or create an action policy. For more information, see Create an action policy. Severity: the severity of an alert. Repeat Interval: the period during which notifications for repeated alerts are not sent. During this period, Simple Log Service does not notify you of repeated alerts. Examples: 1d, 2h, and 3m. The value 1d indicates 1 day, the value 2h indicates 2 hours, and the value 3m indicates 3 minutes. Recovery Notification: If you enable the recovery notification feature, Simple Log Service sends a recovery notification when a monitored object recovers. Threshold of Continuous Triggers: the number of consecutive times that a specified trigger condition must be met before an alert is triggered.

Alert monitoring rule that is used to monitor the alerts for OSS bucket deletion

Item	Description

Item	Description
Function	Monitors the DELETE operations that are performed on OSS buckets.
Check frequency and check time range	Checks data within the last 1 minute at 1-minute intervals.
Trigger conditions	An alert is triggered when an OSS bucket is deleted.
Parameter configurations	Bucket Name: The name of the bucket that you want to monitor. Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. Default value: sls.app.oss.builtin. You can modify the built-in action policy or create an action policy. For more information, see Create an action policy. Severity: the severity of an alert. Repeat Interval: the period during which notifications for repeated alerts are not sent. During this period, Simple Log Service does not notify you of repeated alerts. Examples: 1d, 2h, and 3m. The value 1d indicates 1 day, the value 2h indicates 2 hours, and the value 3m indicates 3 minutes. Recovery Notification: If you enable the recovery notification feature, Simple Log Service sends a recovery notification when a monitored object recovers. Threshold of Continuous Triggers: the number of consecutive times that a specified trigger condition must be met before an alert is triggered.

Alert monitoring rule that is used to monitor the IP addresses from which the access requests to OSS buckets are frequently initiated

Item	Description

Item	Description
Function	Monitors the IP addresses from which the access requests to OSS buckets of the Standard storage class are frequently initiated.
Check frequency and check time range	Checks data within the last 10 minutes at 1-minute intervals.
Trigger conditions	An alert is triggered when the frequency of access from an IP address to a bucket is excessively high.
Parameter configurations	Number Threshold: An alert is triggered when the number of access requests from an IP address to an OSS bucket of the Standard storage class exceeds the value of this parameter within 10 minutes. Bucket Name: The name of the bucket that you want to monitor. Action Policy: the action policy for your alert monitoring rule. Simple Log Service sends alert notifications to the specified users based on this action policy. Default value: sls.app.oss.builtin. You can modify the built-in action policy or create an action policy. For more information, see Create an action policy. Severity: the severity of an alert. Repeat Interval: the period during which notifications for repeated alerts are not sent. During this period, Simple Log Service does not notify you of repeated alerts. Examples: 1d, 2h, and 3m. The value 1d indicates 1 day, the value 2h indicates 2 hours, and the value 3m indicates 3 minutes. Recovery Notification: If you enable the recovery notification feature, Simple Log Service sends a recovery notification when a monitored object recovers. Threshold of Continuous Triggers: the number of consecutive times that a specified trigger condition must be met before an alert is triggered.

Feedback

Previous: Enable the log collection featureNext: View reports

On this page （1, T）

Configure an alert

View the alert dashboard

Descriptions of alert monitoring rules

Alert monitoring rule that is used to monitor the sharp increase of requests with a status code of 403, 404, 408, 499, or 4xx

Alert monitoring rule that is used to monitor the sharp increase of download and upload traffic over the Internet

Alert monitoring rule that is used to monitor the alerts for OSS bucket deletion

Alert monitoring rule that is used to monitor the IP addresses from which the access requests to OSS buckets are frequently initiated

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)