Generating alerts from logs
Alert policy types
You can create the following types of alert policies:
Static Thresholds: When you are aware of the conditions for which you want to be alerted and you also know where these conditions will occur, use static thresholds. For example, while analyzing logs, you come across a status 401 (authentication failure) for which you want to be notified. Let's say you notice that the status is reported multiple times in a short time period. You want to be notified if it occurs again. So, you create alert policies that generate events when the conditions configured in the policies occur in the logs. Here are a few more examples:
Examples
- An exception in the applicationserver log
- Error log level in the database log
- Unexpected token in the application log
Anomaly Detection: Logs contain anomalies that represent potential system faults, which makes the logs critical to debugging application performance and errors. BMC Helix Log Analytics provides automated analysis with machine learning (ML)-based anomaly detection of abnormal or rare log patterns (or anomalies) that indicate any deviation from the normal behavior. This analysis helps you find concerns proactively before they become a problem and help troubleshoot errors when they arise.
When you want to be alerted if an anomalous log record is generated in a certain type of log like database logs. For example, you want to be alerted if an anomalous log message is generated in the Kubernetes microservice logs. Here are a few more examples:Examples
- An anomaly in a specific service in a Kubernetes environment
- An anomaly in a specific service of Amazon Web Services
- An anomaly in Windows event for a particular host or VM
Alert policy details
An alert policy consists of the following details:
- Name, description, and precedence.
Policy selection criteria or the conditions that generate an event. Configure the policy selection criteria based on the fields available in the logs. The operators that you can use are Equals, Not Equal to, and Contains. Combine these conditions with the AND and OR logical operators. Optionally, group these conditions on a particular field, such as when status Equals 401 for a particular host. In this case, you group the condition on the host field. Next, define the time period for these conditions to be true. As an example, generate an event if the status Equals 401 for 5 times (minimum) in the past 10 minutes.
- Host name, which can be either a static value that you type or a field in the logs that you select. If you select a log field, ensure that you select the same log field in the Group by field.
Additional Details are the values from the logs that are added to the fields of the generated event. These values can be either static values that you type or a field in the logs that you select. The additional details that you can add to the event are described as slots on this page: Log Alert event class. Fields of type Enum accept only preconfigured values. If you enter a value that is not preconfigured, the default value is added to the slot in the event.
To add custom fields to an event, see Event management endpoints in the REST API..
Where to go from here
To learn how to generate static alerts, see Managing-static-alerts.
To learn how to detect anomalies from logs, see WIP Detecting anomalies from logs.
To learn about log events, see Log-events.
Learn more
Read more about automated log analysis with machine learning (ML)-based anomaly detection to process log contents and find abnormal entries and behavior patterns in logs Predictive Log Alerting with ML Anomaly Detection.