Alerts will automatically notify you when important events happen within your system.
- Match: How many times the event must occur in a given time frame to trigger an alert
- Report: Sets a limit for the maximum amount of alert notifications you want to receive in the selected time frame.
- Send to: Send the alert to any email address or choose another pre-integrated method such as Slack, PagerDuty, HipChat, Campfire, iPhone app, or Webhook.
In this doc we will cover how to setup a Email Alert.
The first step for creating a alert is to define a tag, you can read up on how to create a Tag here. Once this is created you can begin to configure the Alert settings.
First set the
Report values to the values that you wish for this alert. Once that is set tick the
Specify how often the event must occur before an alert is triggered. Also specify how often you would like to be notified. This allows you to avoid flooding your inbox with notifications and to get alerts when they really matter. With the option It must match at least you can specify how many times the pattern MUST match in order to trigger the alert.
The most common option
Once triggers the alert on every occurrence. A more refined option
100x/hour specifies that the pattern must match at least
100 times in the last
60 minutes. The alert is triggered when our alert counter reaches this limit. However, note that it does not trigger again if the pattern is continually matched above the threshold: the counter must drop again below the limit, and then again over the threshold to be re-triggered. This allows us to avoid flooding you with alert reports.
Option Report this alert at most enables you to limit the amount of alert reports you receive. You can thus easily avoid getting flooded with reports of the same alert, while making sure you still get the most important ones. All time specifications (last hour, last day), represent a sliding window. That means the time window specified is not fixed for the current hour or day, but instead it slides with the current time and refers to last
60 minutes or
24 hours. This is more convenient than a fixed-hour/day time specification: Attacks or errors do not respect hour or day boundaries.
In cases were your log data may contain sensitive data you may wish to send an alert which does not contain any log data in the body. To remove context from your alert simply deselect the
Include context checkbox in the UI.