After you create an alert monitoring rule for logs, the system generates alerts based on the specified check frequency and trigger conditions. The system also reduces alert noises and sends alert notifications based on the specified alert policy and action policy. You can create an alert monitoring rule for logs to monitor tables or indexes that cannot be deleted in Tablestore.
Background information
The alerting feature of Simple Log Service is an end-to-end intelligent O&M system that can monitor alerts based on alert monitoring rules, reduce alert noises, manage events, and send alert notifications. For more information, see Overview of alert rules.
Risks may occur and your business may be affected if you delete tables or indexes in Tablestore. To reduce potential risks, you can create an alert monitoring rule to monitor the audit logs of Tablestore. You can create an alert monitoring rule to monitor the operations that accidentally delete a table. When a table is deleted, you can receive an alert notification at the earliest opportunity. This helps you reduce business risks and protect data security.
Procedure
Go to the Audit Log page.
Log on to the Tablestore console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Audit Log.
On the Audit Log page, click the icon.
In the Alert Monitoring Rule panel, configure the parameters that are described in the following table.
Parameter
Description
Rule Name
Specify the name of the alert rule.
Check Frequency
Specify the frequency at which query and analysis results are checked. Valid values:
Hourly: Query and analysis results are checked every hour.
Daily: Query and analysis results are checked at a specified point in time every day.
Weekly: Query and analysis results are checked at a specified point in time on a specified day of each week.
Fixed Interval: Query and analysis results are checked at a specified interval.
Cron: Query and analysis results are checked at an interval that is specified by a cron expression.
NoteThe minimum precision for a cron expression in the alert rules of Simple Log Service is one minute, and the format follows the 24-hour convention. For example:
0/5 * * * *
: Starts from the 0th minute and checks every 5 minutes.0 0/1 * * *
: Starts from 00:00 and checks every hour.0 18 * * *
: Checks every day at 18:00.0 0 1 * *
: Checks at 00:00 on the 1st day of every month.
For more information about the syntax of cron expressions, see Cron expressions.
A cron expression can specify an interval that is accurate to the minute. The cron expression is based on the 24-hour clock. For example,
0 0/1 * * *
specifies that query and analysis results are checked at an interval of 1 hour from 00:00.
Query Statistics
Click the input box. In the Query Statistics dialog box, configure query statement-related settings.
Associated Report tab: Select a dashboard to monitor data.
Advanced Settings tab:
Select a type of data that you want to monitor from the Type drop-down list. Valid values:
Logstore: Logs are stored. For more information about query and analysis configurations, see Query and analyze logs.
Metricstore: Metrics are stored. For more information about query and analysis configurations, see Query and analyze metric data.
Resource Data: The external data that you want to associate with the alert rule can be specified. For more information, see Create resource data.
If you set Type to Logstore or Metricstore and specify a query statement, you can specify whether to enable Dedicated SQL. For more information, see Enable Dedicated SQL.
Auto: By default, Dedicated SQL is not enabled. If the number of concurrent queries exceeds the upper limit or the query results are inaccurate, Simple Log Service automatically retries the queries by using Dedicated SQL.
Enable: Dedicated SQL is enabled for query and analysis.
Disable: Dedicated SQL is disabled.
If you specify multiple query statements, you can configure the Set Operations parameter to associate the query and analysis results of the statements. For more information, see Specify query statements.
Group Evaluation
Simple Log Service can group query and analysis results. For more information, see Use the group evaluation feature. Valid values:
Custom Label: Simple Log Service groups query and analysis results based on the fields that you specify. After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
You can specify multiple fields.
No Grouping: Only one alert is triggered in each check period when the trigger condition is met.
Auto Label: If you select Metricstore from the Type drop-down list in the Query Statistics dialog box, Simple Log Service automatically groups query and analysis results. A value of Metricstore specifies that the query and analysis results of metrics are monitored.
After Simple Log Service groups the query and analysis results, Simple Log Service checks whether the query and analysis results in each group meet the trigger condition. If the query and analysis results in each group meet the trigger condition in each check period, an alert is triggered for each group.
Trigger Condition
Specify the trigger condition and severity of an alert.
Trigger condition
Data is returned: If data is returned in the query and analysis results, an alert is triggered.
the query result contains: If the query and analysis results contain N data entries, an alert is triggered.
data matches the expression: If the query and analysis results contain data that matches a specified expression, an alert is triggered.
the query result contains and matches: If the query and analysis results contain N data entries that match a specified expression, an alert is triggered.
Severity
This parameter is used to denoise alerts and manage alert notifications. You can add severity-based conditions when you create an alert policy or an action policy. For more information, see Specify severity levels for alerts.
If you specify one trigger condition, you can specify a severity for the condition. In this case, all alerts that are triggered based on the alert rule have the same severity.
If you specify more than one trigger condition, you can specify a severity for each condition. You can click Create to specify additional trigger conditions.
For more information about the syntax of conditional expressions in alert rules, see Syntax of trigger conditions in alert rules.
Add Label
Simple Log Service allows you to add labels as identifying attributes to alerts. Labels are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add label-based conditions when you create an alert policy or an action policy. For more information, see Add labels and annotations.
Add Annotation
Simple Log Service allows you to add annotations as non-identifying attributes to alerts. Annotations are in the key-value pair format. This parameter is used to denoise alerts and manage alert notifications. You can add annotation-based conditions when you create an alert policy or an action policy. For more information, see Add labels and annotations.
If you turn on Auto-Add Annotations, fields such as __count__ are automatically added to alerts. For more information, see Automatic annotations.
Recovery Notifications
If you turn on Recovery Notifications, a recovery alert is triggered each time an alert is cleared. For example, an alert rule is created to monitor the CPU metrics of each host. If the CPU utilization of a host exceeds 95%, an alert is triggered. Then, if the CPU utilization decreases to 95% or less, a recovery notification is sent. For more information, see Configure recovery notifications.
Advanced Settings > Threshold of Continuous Triggers
Specify the threshold at which an alert is triggered. If the number of consecutive times that the specified trigger condition is met reaches the value of this parameter, an alert is triggered. The system does not count the number of times when the specified trigger condition is not met.
Advanced Settings > No Data Alert
If you turn on No Data Alert, an alert is triggered when the number of times that no data is returned exceeds the value of Threshold of Continuous Triggers. If multiple query statements are executed, the number of times is counted based on the associated query and analysis results of the query statements. For more information, see No-data alert.
Destination
Specify the location to which alerts are sent. You can specify one or more locations. Valid values:
Eventstore: Alerts are sent to a specified Eventstore.
CloudMonitor Event Center: Alerts are sent to the Event Center of CloudMonitor. Then, CloudMonitor manages the alerts and sends alert notifications.
Simple Log Service Notification: Alerts are sent to the notification feature of Simple Log Service. Then, Simple Log Service manages the alerts based on the specified alert policy and action policy.
Destination - Eventstore
Enable: If you turn on Enable, alerts are sent to the Eventstore that you specify.
Region: the region of the Eventstore to which alerts are sent.
Project: the project of the Eventstore to which alerts are sent.
Eventstore: the Eventstore to which alerts are sent.
Authorization Method
Default Role: Click Authorize. Then, follow the on-screen instructions to complete authorization. This way, the AliyunLogETLRole system role is assumed to send alerts to the Eventstore. For more information, see Default role.
Custom Role: A custom role is assumed to send alerts to the Eventstore. Enter the Alibaba Cloud Resource Name (ARN) of the custom role. For more information, see Custom role.
Destination - CloudMonitor Event Center
Enable: If you turn on Enable, alerts are sent to the Event Center of CloudMonitor. For more information, see View system events.
Destination - Simple Log Service Notification
Enable: If you turn on Enable, alerts are sent to the notification feature of Simple Log Service for management and notification.
Alert Policy
Simple Mode
By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
You need to only configure an action group.
After you configure an action group, Simple Log Service automatically creates an action policy named in the
Rule name-Action policy
format. Alert notifications are sent based on the action policy for all alerts that are triggered based on the alert rule. For more information, see Notification methods.ImportantYou can modify an action policy on the Action Policy tab. For more information, see Create an action policy. If you add conditions when you modify an action policy, the value of Alert Policy is automatically changed to Standard Mode.
Standard Mode
By default, Simple Log Service uses the built-in alert policy sls.builtin.dynamic to manage alerts.
You can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy.
Repeat Interval: If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent.
Advanced Mode
You can select a built-in or custom alert policy to manage alerts. For more information about how to create an alert policy, see Create an alert policy.
You can select a built-in or custom action policy to send alert notifications. For more information about how to create an action policy, see Create an action policy. You can turn on or turn off Custom Action Policy. For more information, see Dynamic action policy mechanism.
Repeat Interval: If duplicate alerts are triggered in the specified period, the action policy that you select is executed only once, and only one alert notification is sent.
Click OK.