Oracle Cloud Infrastructure Documentation

Create a Detection Rule Using a Template

Use an oracle-defined template and create a detection rule that can post a metric each time the log collection conforms to the rule defined.

Ensure that the required IAM policies are created to provide permissions. See Allow Users to Perform All Operations with Detection Rule Templates.

For the list of Oracle-defined templates, see Oracle-defined Detection Rule Templates.

The following steps are demonstrated with Monitoring service as the target for monitoring the scheduled task. The metrics emitted by Oracle Logging Analytics are stored by the Monitoring service.

  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.

    The administration resources are listed in the left hand navigation pane under Resources. Click Detection rules.

    The Detection rules page opens. Select the compartment under Detection Rule Scope and click Create rule.

    The Create Detection Rule dialog box opens.

  2. Click Recommended detection rule.

  3. Specify a Rule name for the detection rule.

  4. Under Select a template:

    1. To filter the available templates, select the Rule type. Currently, only saved search type of Oracle-defined detection rule templates are available. Hence this field is unavailable for selection.

    2. Select an Oracle-defined Template from the menu. To view more details about each template and then select, click Advanced search. The Search and select a template dialog box opens. The templates and their details are listed in a table. Click the row of the template that you want to select, and click Select.

      The default query that is used to implement the template is displayed. You can copy this query and run it in the Log Explorer to view the result of it.

      For the list of Oracle-defined templates, see Oracle-defined Detection Rule Templates.

    3. Optionally, expand Show customizable options. This section displays the fields in the query that can be modified.

      For example, in the query of the template Log Group Size, the fields that can be modified are:

      • Log Group Compartment: The compartment in which the log groups must be queried. You can also enable the Subcompartments check box to query the sub-compartments of the selected compartment.

      • Size Threshold (Bytes): This is the size of the log group exceeding which the metrics must be posted. By default, this is 0. For example, if the size threshold you specify is 1000 bytes, only when the log group size is more that 1000 bytes, the metric is posted.

      For details about the Oracle-defined template Log Group Size, see Oracle-defined Detection Rule Templates.

  5. Under Setup frequency:

    Specify Interval, the aggregation window. You can optimize the schedule to run in the selected Minutes, Hours, Days, or Weeks. Further, when you select larger aggregations, for example Days, then you can specify the finer aggregation within the range, for example, time of the day when the query must be run.

    You can specify the Frequency of running the query, like Run indefinitely, Run once, or Custom.

    You can also include Repeat Count in the frequency specification for the number of times the query must be run.

  6. Under Select a target service to configure:

    1. Select the Target Service where the results of running the query are posted, for example, Monitoring.

      The Monitoring service stores the metrics for the result of running the query on a schedule.

    2. Select Metric Compartment, the compartment where the metric will be created. A compartment is selected by Oracle Logging Analytics, by default.

    3. Select Metric Namespace, the metric namespace where you want to put the new metric. The scope of options available for selecting the namespace is defined by the selection of Metric Compartment in the previous step. If options are not available, then you can also enter a new value for the namespace.

      Note

      When specifying a new value for the namespace, select a name that does not start with oracle_ and oci_. They are reserved prefixes. See Publishing Custom Metrics.

    4. Optionally, select Resource Group, the group that the metric belongs to. A resource group is a custom string provided with a custom metric.

    5. Enter Metric Name, the name of the metric, used in the Monitoring service explorer to view the metrics. Only one metric can be specified.

  7. Optionally, expand the Show Advanced Options section, and add tags to your detection rule.

  8. If the required IAM policies are not defined yet, then a notification is displayed that lists the policies to:

    • Create a dynamic group
    • Apply the policies to the dynamic group to allow the scheduled tasks to run

    Make note of the policies listed and create them.

  9. Click Create Detection Rule.

The query is now scheduled to run at a regular interval, and the resulting metrics are emitted to the Monitoring service.

Allow Users to Perform All Operations with Detection Rule Templates

To create detection rules using the templates, post the metrics in target service, and view the metrics, first set up right permissions by creating the following IAM policies:

  1. Create a dynamic group to allow Scheduled Tasks to post metrics to the monitoring service from specific compartment:

    ALL {resource.type='loganalyticsscheduledtask', resource.compartment.id='<compartment ocid>'}

    Alternatively, to allow metrics to be posted from all compartments:

    ALL {resource.type='loganalyticsscheduledtask'}

  2. Add policy statements to allow the dynamic group to perform Scheduled Task operations in tenancy:

    allow group <group_name> to use loganalytics-scheduled-task in tenancy
allow dynamic-group <dynamic_group_name> to use metrics in tenancy
allow dynamic-group <dynamic_group_name> to read management-saved-search in tenancy
allow dynamic-group <dynamic_group_name> to {LOG_ANALYTICS_QUERY_VIEW} in tenancy
allow dynamic-group <dynamic_group_name> to {LOG_ANALYTICS_QUERYJOB_WORK_REQUEST_READ} in tenancy
allow dynamic-group <dynamic_group_name> to READ loganalytics-log-group in tenancy
allow dynamic-group <dynamic_group_name> to {LOG_ANALYTICS_LOOKUP_READ} in tenancy
allow dynamic-group <dynamic_group_name> to read compartments in tenancy

  3. Add policy statement to allow the dynamic group to access the template in a specific compartment: 

    allow dynamic-group <dynamic_group_name> to {LOG_ANALYTICS_TEMPLATE_READ} in tenancy

    Oracle-defined templates are located in the root compartment. In case of a user-created template, specify the exact compartment where the template is located.