Configuring Log Alarm Rules

Prerequisites

• A log group and stream have been created. For details, see Managing Log Groups and Managing Log Streams.
• Index settings have been reconfigured after log ingestion configuration. For details, see Setting Indexes. Reconfiguring indexing helps you efficiently query and analyze log data and configure log alarm rules based on specific fields, such as the log severity, error code, and response time.

Creating a Keyword Alarm Rule

1. Log in to the management console and choose Management & Deployment > Log Tank Service.
2. Choose Log Alarms in the navigation pane.
3. Click the Alarm Rules tab.
4. Click Create. The Create Alarm Rule right panel is displayed.
5. Configure alarm rule parameters.

   Table 1 Keyword alarm rule parameters

   Category	Parameter	Description
   Basic Info	Rule Name	Name of the alarm rule. Do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed. After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view both new and original rule names. The original rule name cannot be changed.
   	Description	Description of the rule.
   Statistical Analysis	Statistics	By keyword: applicable when keywords are used to search for and configure log alarms.
   	Query Condition	Log Group Name: Select a log group.
   		Log Stream Name: Select a log stream. If a log group contains more than one log stream, you can select multiple log streams when creating a keyword alarm rule.
   		Query Time Range: Specify the query period of the statement. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the period of the query statement is 8:00–9:00. The value ranges from 1 to 60 in the unit of minutes. The value ranges from 1 to 24 in the unit of hours.
   		Keywords: Enter log keywords that can be queried on the Log Search tab page. LTS monitors logs in the log stream based on these keywords. Exact and fuzzy matches are supported. Enter up to 1,024 characters. For details about how to set keyword search, see Using LTS Search Syntax. In the index settings, Case-Sensitive is disabled by default. This means that keywords are case insensitive. If you enable this option, ensure that alarm keywords you enter are case-sensitive. For details, see Setting Indexes.
   	Check Rule	Configure a condition that will trigger the alarm. Matching Log Events: When the number of log events that contain the configured keywords reaches the specified value, an alarm is triggered. Four comparison operators are supported: greater than (>), greater than or equal to (>=), less than (<), and less than or equal to (<=). The number of queries refers to the number of occurrences of the Query Frequency set in Advanced Settings. The number of times the condition is met refers to the number of times that the keyword appears. The number of queries must be greater than or equal to the number of times the condition must be met. The alarm severity can be critical (default), major, minor, or info. Number of queries: 1–10
   Advanced Settings	Query Frequency	The options for this parameter are: Hourly: The query is performed at the top of each hour. Daily: The query is run at a specific time every day. Weekly: The query is run at a specific time on a specific day every week. Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on. When the query time range is set to a value larger than 1 hour, the query frequency must be set to every 5 minutes or a lower frequency. CRON: CRON expressions support schedules down to the minute and use 24-hour format. Examples: 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes. That is, queries start at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50. 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00. 0 14 * * *: The query is performed at 14:00 every day. 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.
   Advanced Settings	Restores	Configure a policy for sending an alarm clearance notification. If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification is sent. Number of last queries: 1–10
   Advanced Settings	Notify When	Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met. Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.
   Advanced Settings	Frequency	You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms. Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.
   Advanced Settings	Alarm Action Rules	Select a desired rule from the drop-down list. If no rule is available, click Create Alarm Action Rule on the right.
   Advanced Settings	Language	Select the language used to send alarms.

6. Click OK.

   After an alarm rule is created, its status is Enabled by default. After the alarm rule is disabled, the alarm status is Disabled. After the alarm rule is disabled temporarily, the alarm status is Temporarily closed to May 30, 2023 16:21:24.000 GMT+08:00. (The time is for reference only.)

   When the alarm rule is enabled, an alarm will be triggered if the alarm rule is met. When it is disabled, an alarm will not be triggered even if the alarm rule is met.

Follow-up Operations on Alarm Rules

• You can perform the following operations on a single alarm rule.

  Modifying an alarm rule: Click Modify in the Operation column of the target alarm rule. On the displayed page, modify the rule name, query condition, and check rule, and click OK.

  Enabling an alarm rule: Click More > Enable in the Operation column of the target alarm rule and ensure the status changes to Enabled.

  Disabling an alarm rule: Click More > Disable in the Operation column of the target alarm rule and ensure the status changes to Disabled.

  Temporarily disabling an alarm rule: Click More > Disable Temporarily in the Operation column of the target alarm rule.

  Copying an alarm rule: Click More > Copy in the Operation column of the target alarm rule.

  Deleting an alarm rule: Click Delete in the Operation column of the target alarm rule. In the displayed dialog box, click OK. Deleted alarm rules cannot be recovered. Exercise caution when performing this operation.

• After selecting multiple alarm rules, you can perform the following operations on them: Enable, Disable, Disable Temporarily, Re-Enable, Enable Clearance, Disable Clearance, Delete, and Export.
• You can move the cursor to the rule name to view both the new and original names after modification. The original rule name cannot be changed.