Oracle Cloud Infrastructure Documentation

Detect Predefined Events at Ingest Time

You can create rules to detect specific content in the log records. You can do this by creating a detection rule based on a label which is associated with the log records from specific log sources and entity types. Use this feature to identify anomalies at ingest time.

Before you create the detection rule, first identify the label that you can use for generating the alert. Edit the log source and use the label for detecting specific content in the log records. See Use Labels in Sources. To create a new label, see Create a Label. For example, if the detection rule must be defined to detect 503 error in the Apache Tomcat Access Logs, then the following steps must be followed:

  • Create a label, say Availability Error.

  • Use the label in the source Apache Tomcat Access Logs.

  • In the source definition, map the occurrence of the base field Status having the value 503, with the label Availability Error.

  • Create the detection rule on the label Availability Error and specify the log source Apache Tomcat Access Logs as a filter for the logs.

To create and manage an ingest time detection rule, first ensure that the required permissions are provided. See Allow Users to Perform Ingest Time Alert Rule Operations.

To create an ingest time detection rule that generates an alert every time a log record containing the matching label and filter settings is encountered, perform the following steps:

  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.

    The administration resources are listed in the left hand navigation pane under Resources. Click Detection rules.

    The Detection rules page opens. Click Create rule.

    The Create Detection Rule dialog box opens.

  2. Click Ingest time detection rule.

  3. Specify a Rule name for the ingest time detection rule.

  4. In the Select a label section, from the menu, select the Label which must be detected in the log records.

    Additionally, you can specify the entity type and log source to use for filtering the log records.

  5. Specify the target service where the alert must be reported. Select Monitoring service. The metric generated in the Monitoring service with the information of the alerts generated.

    Select the Metric Compartment where the metrics must be stored.

    Select the Metric namespace.

    Optionally, select the Resource Group that the metric belongs to.

    Specify a Metric Name for the metrics that get generated for the alerts.

  6. By default, Label and Rule OCID are used as dimensions. Additionally, if required, you can select more values from the available options of fields for Dimensions. These are the values that can be used to filter the metric data. The field options available to you for selection depend on the log source you specified in step 4 in addition to some commonly used fields. If no log source is specified, then all fields are available.

    Click Create Detection Rule.

When the match specified in the log source is encountered in the log record while ingesting, a metric value is posted to OCI Monitoring service. You can get alerts from OCI Monitoring service by configuring an alarm on that metric. See Create Alerts for Detected Events.

Allow Users to Perform Ingest Time Alert Rule Operations

Individual resource-type: loganalytics-ingesttime-rule

Part of aggregate resource-type: loganalytics-resources-family

Use Case IAM Policies

Ingest time rule can be in any compartment in the tenancy

Example policy statements to provide MANAGE permission for ingest time rule resource and to post metrics to Monitoring service:

allow group <group_name> to manage loganalytics-ingesttime-rule in tenancy

allow service loganalytics to use metrics in tenancy

Ingest time rule is in a specific compartment

Example policy statements to provide MANAGE permission for ingest time rule resource and to post metrics to Monitoring service:

allow group <group_name> to manage loganalytics-ingesttime-rule in compartment <compartment_OCID>

allow service loganalytics to use metrics in tenancy

The Manage permission for the ingest time rule resource allows you to list the ingest time rules, get details about an ingest time rule, create, delete, or update an ingest time rule, and move it to a different compartment.

Some of the above policy statements are included in the readily available Oracle-defined policy templates. You may want to consider using the template for your use case. See Oracle-defined Policy Templates for Common Use Cases.