Log Monitoring¶
The log monitoring feature is used to monitor all log data generated by log collectors within the workspace. It supports setting up alert rules based on log keywords to quickly identify abnormal patterns that do not conform to expected behavior, such as anomaly labels appearing in log text. This allows for timely detection and response to potential security threats or system issues.
Use Cases¶
This is particularly suitable for IT monitoring scenarios, such as code anomalies or task scheduling checks. For example, monitoring high error rates in logs.
Monitoring Configuration¶
Detection Frequency¶
This refers to the execution frequency of the detection rules; the default is set to 5 minutes.
Detection Interval¶
This refers to the time range for querying metrics each time a task is executed. Depending on the detection frequency, different intervals are available.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Monitors the number of logs containing the specified keywords in the log list over a certain period for the designated detection object.
| Field | Description |
|---|---|
| Index | The index associated with the current detection metric. After setting indexes under Logs > Index, when selecting "Logs" as the data source for chart queries, you can choose logs from different indexes. The default index is default. |
| Source | The data source for the current detection metric, supporting selection of all (*) or a specific data source. |
| Keyword Search | Supports keyword search |
| Filter Conditions | Filters the detection metric data based on tags associated with the metric, limiting the scope of detected data; supports adding one or more tag filters; supports fuzzy matching and non-matching filter conditions. |
| Aggregation Algorithm | Defaults to *, corresponding function is count. If another field is selected, the function automatically changes to count distinct (counts the number of data points where the keyword appears). |
| Detection Dimensions | Any string type (keyword) fields in the configuration can be chosen as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will evaluate whether the statistical metric for a given detection object meets the threshold conditions, generating an event if the conditions are met.* (For example, choosing detection dimensions host and host_ip would result in a detection object like {host: host1, host_ip: 127.0.0.1}. When the detection object is "Log", the default detection dimensions are status, host, service, source, filename.) |
| Query Method | Supports simple queries and expression queries. If the query method is an expression query and contains multiple queries, the detection object remains the same across queries. For example, if expression query A's detection object is "Log", then expression query B's detection object is also "Log". |
Trigger Conditions¶
Set trigger conditions for different alert levels: you can configure any one of critical, major, minor, or normal.
Configure trigger conditions and severity levels; if the query results contain multiple values, any value meeting the trigger condition will generate an event.
For more details, refer to Event Level Description.
If Continuous Trigger Evaluation is enabled, you can configure the number of consecutive evaluations required to trigger an event again. The maximum limit is 10 times.
Alert Levels
-
Critical (Red), Major (Orange), Minor (Yellow): Based on configured condition operators.
-
Normal (Green): Based on configured detection count, as follows:
-
Each execution of a detection task counts as 1 detection, e.g., if [Detection Frequency = 5 minutes], then 1 detection = 5 minutes.
- You can customize the detection count, e.g., if [Detection Frequency = 5 minutes], then 3 detections = 15 minutes.
| Level | Description |
|---|---|
| Normal | After the detection rule takes effect, if critical, major, or minor events occur, and the data returns to normal within the configured custom detection count, a recovery alert event is generated. Recovery alert events are not subject to Alert Mute restrictions. If no recovery alert event detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List. |
Data Gaps¶
You can configure seven strategies for handling data gaps.
-
Evaluate the query results for the most recent minutes within the detection interval without triggering an event;
-
Evaluate the query results for the most recent minutes within the detection interval as 0; the query results will then be compared against the thresholds configured in the Trigger Conditions to determine if an anomaly event should be triggered.
-
Customize the detection interval value to trigger data gap events, critical events, major events, minor events, and recovery events; it is recommended that the custom data gap time configuration be >= detection interval time. If the configured time <= detection interval time, both data gap and anomaly conditions may be met simultaneously, in which case only the data gap handling result will apply.
Information Generation¶
Enabling this option generates "Information" events for detection results that do not match the above trigger conditions.
Note: When configuring trigger conditions, data gaps, and information generation simultaneously, the following priority applies: Data Gap > Trigger Condition > Information Event Generation.