Detect Predefined Events at Ingest Time
Before you create the detection rule, first identify the label that you can
use for generating the alert. Edit the log source and use the label for detecting
specific content in the log records. See Use Labels in Sources. To create a new label, see Create a Label. For example, if the detection rule must be defined to detect
503
error in the Apache Tomcat Access Logs
, then
the following steps must be followed:
-
Create a label, say
Availability Error
. -
Use the label in the source
Apache Tomcat Access Logs
. -
In the source definition, map the occurrence of the base field
Status
having the value503
, with the labelAvailability Error
. -
Create the detection rule on the label
Availability Error
and specify the log sourceApache Tomcat Access Logs
as a filter for the logs.
To create and manage an ingest time detection rule, first ensure that the required permissions are provided. See Allow Users to Perform Ingest Time Alert Rule Operations.
To create an ingest time detection rule that generates an alert every time a log record containing the matching label and filter settings is encountered, perform the following steps:
-
Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.
The administration resources are listed in the left hand navigation pane under Resources. Click Detection rules.
The Detection rules page opens. Click Create rule.
The Create Detection Rule dialog box opens.
-
Click Ingest time detection rule.
-
Specify a Rule name for the ingest time detection rule.
-
In the Select a label section, from the menu, select the Label which must be detected in the log records.
Additionally, you can specify the entity type and log source to use for filtering the log records.
-
Specify the target service where the alert must be reported. Select
Monitoring
service. The metric generated in the Monitoring service with the information of the alerts generated.Select the Metric Compartment where the metrics must be stored.
Select the Metric namespace.
Optionally, select the Resource Group that the metric belongs to.
Specify a Metric Name for the metrics that get generated for the alerts.
-
By default,
Label
andRule OCID
are used as dimensions. Additionally, if required, you can select more values from the available options of fields for Dimensions. These are the values that can be used to filter the metric data. The field options available to you for selection depend on the log source you specified in step 4 in addition to some commonly used fields. If no log source is specified, then all fields are available.Click Create Detection Rule.
When the match specified in the log source is encountered in the log record while ingesting, a metric value is posted to OCI Monitoring service. You can get alerts from OCI Monitoring service by configuring an alarm on that metric. See Create Alerts for Detected Events.
Allow Users to Perform Ingest Time Alert Rule Operations
Individual resource-type:
loganalytics-ingesttime-rule
Part of aggregate resource-type:
loganalytics-resources-family
Use Case | IAM Policies |
---|---|
Ingest time rule can be in any compartment in the tenancy |
Example policy statements to provide MANAGE permission for ingest time rule resource and to post metrics to Monitoring service:
|
Ingest time rule is in a specific compartment |
Example policy statements to provide MANAGE permission for ingest time rule resource and to post metrics to Monitoring service:
|
The Manage permission for the ingest time rule resource allows you to list the ingest time rules, get details about an ingest time rule, create, delete, or update an ingest time rule, and move it to a different compartment.
Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.