1. Using Oracle Log Analytics
  2. Use Oracle Log Analytics
  3. Create An Alert Rule

11 Create An Alert Rule

Create an alert rule that generates an alert when an anomaly or a deviation from the fixed threshold is detected in the log data.

Other Topics:

  1. From Oracle Log Analytics, click the OMC Navigation (open menu icon) icon on the top left corner of the interface. In the OMC Navigation bar, click Alerts Rules.

  2. In the Service list, select Log Analytics.

  3. Click Create Alert Rule on the top right corner of the window.

    The Create Alert Rule dialog box opens.

  4. In the Rule Name field, enter the rule name.

  5. Click Add Description, and provide details about the rule that you’re creating.

  6. In the Search Name list, select the name of the saved search that the alert rule must be associated with.

  7. In the Rule type field,

    • to create a scheduled alert, select Scheduled alert option.

      1. For Condition Type, select Fixed Threshold or Anomaly.

        The anomaly based alert rule will be automatically enabled after the data is collected for 30 intervals.

      2. In Results, specify the details of the condition in the Operator, Warning Threshold, and Critical Threshold fields.

      3. Enter the periodicity of the rule in Schedule Interval.

        You can select any value between 15 minutes to 7 days as the Schedule Interval. Your saved search runs automatically based on the interval that you specify.

      You can save a maximum of 50 scheduled alerts.

    • to create a real time alert that’s triggered by the presence of a label in the log records, select Real Time alert option.

      1. In the Entity Type field, click the down arrow, and select your entity type.

      2. In the Label field, click the down arrow, and select the label for which you want to generate the alert.

      3. In the Log Source field, enter the name of the log source.

      Note:

      Alerts would get generated for the logs only if their entity is specified.

  8. If you want to customize your alert message, then under Customize Message Format, select Use custom message. You can customize any or all of the following messages:

    • Warning: This message is generated when an alert is marked as a warning alert. The warning alert is triggered when the metric associated with it violates the warning threshold value as defined in the rule.

    • Critical: This message is generated when an alert is marked as a critical alert. The critical alert is triggered when the metric associated with it violates the critical threshold value as defined in the rule.

    • Clear: This message is generated when an alert is cleared. The clear message is sent when the metric associated with it no longer violates the warning or critical thresholds.

    Format of the Custom Message:

    You can enter any text in the text field next to the type of the message. Additionally, you can insert system values in the message by using the predefined tokens Available Message Tokens, each of which will be substituted in the actual message by the value it refers to. Expand the Available Message Tokens section to view the table that lists the tokens and provides their details. For example, to create the following custom message for the critical alert: 

    A critical alert has been generated because the value 2000 exceeds the designated threshold of 1500.

    Enter the following text in the Critical text field to generate the above message: 

    A critical alert has been generated because the value %{sys.value}% exceeds the designated threshold of %{sys.criticalThreshold}%.

    In the above message, the token %{sys.value}% is replaced by the actual value 2000, and the token %{sys.criticalThreshold}% is replaced by its actual value 1500.

    Important: Enclose the tokens in the percentage - curly bracket characters, for example %{some-token}%.

  9. Under Notifications, you can specify the recipients to receive notifications when any result violates the specified threshold.

    Notification Channels: Classes of notification destinations are called notification channels. Notification channels allow you to set up and reuse functional groups of notification recipients, such as regional administrators, IT managers, or other Web servers without having to specify large numbers of individual destinations repeatedly. Once you set up a notification channel, you can reuse the channels across different alert rules.

    • Email: Specify the email address or email notification channels. To create a new email channel:

      1. Click Email Channel.

      2. In Channel Name, enter the name of the new email channel that you’re creating.

      3. In Email Addresses, enter a comma-seperated list of recipient email addresses to include in the channel that you’re creating.

      4. Click Create.

    • Mobile: Specify the user names or mobile notification channels. To create a new email channel:

      1. Click Mobile Channel.

      2. In Channel Name, enter the name of the new mobile channel that you’re creating.

      3. In OMC User Names, enter a comma-seperated list of user names to include in the channel that you’re creating.

      4. Click Create.

      Note:

      Oracle Management Cloud Mobile app must be installed and signed into before a user can receive a push notification. The Oracle Management Cloud Mobile app can be downloaded on the app store.

    • Integrations: From the list, select the integration notification channel.

      In addition to notifying people, Oracle Log Analytics can also send relevant information to third-party web applications (such as Slack or Hipchat) if an alert is raised, thus allowing you extend Oracle Log Analytics functionality by having third-party applications carry out actions in response to an alert notification. This type of system integration is achieved using WebHooks; an HTTP POST message containing a JSON payload that is sent to a destination URL. When an alert is raised, you can have that alert sent to PagerDuty or ServiceNow for incident management.

      To create an integration notification channel, see Set Up Notification Channels in Using Oracle Infrastructure Monitoring.

  10. Under Remediation Action, from the list, select the remediation action that must be performed automatically in response to an alert.

    You can create a Remediation Action using the Event Service API. Contact your Oracle Support or Sales Representative for more information about accessing and using the Event Service API.

  11. Click Save.

View and Edit Alert Rules

  1. From Oracle Log Analytics, click the OMC Navigation (open menu icon) icon on the top left corner of the interface. In the OMC Navigation bar, click Alerts.

  2. Click Alert Rules on the top right corner of the window.

  3. Click the name of the alert rule to view and edit.

Note:

You can also delete an alert rule by clicking the Delete icon next to the alert rule name.

Generate Inline Alerts

You can define alerts such that the anomalies are detected based on the inline content of the logs. This can be done by associating an alert with a label that’s tagged for the log records from a specific log source and entity type.

To generate inline alerts, first edit the log source to add a label on detecting the specific content in the log record. Next, associate the log source with an entity type. Lastly, define a real time alert rule on the specific target type, label and log source. For example, edit the source mvHostSrc2 and add a label invalid_usr that tags the user name anonymous. Next, associate the log source mvHostSrc2 with the entity Host(Linux). Lastly, create a real time alert rule that raises an alert every time a log record containing the user name anonymous is encountered by associating the alert with the label invalid_usr, log source mvHostSrc2, and entity Host(Linux).

  1. Edit the log source, and add a label for the specific log record content. For example, add a label invalid_usr when the user name is anonymous. See Use Labels in Log Sources.

  2. Associate the log source with an entity type. See Work with Entity Associations.

  3. Create an alert rule for the specific log source, label, and entity type. See Create An Alert Rule.

    In the Rule type field in the Create Alert Rule dialog box, select Real time alert option. The following are some example values that you can use while creating the alert rule:

    • In the Rule Name field, enter testAlertRule2.

    • In the Entity Type list, select Host (Linux).

    • In the Label list, select invalid_usr.

    • In the Log Source field, enter mvHostSrc2.

When the tag that you specified in the log source is encountered, an alert is raised. For example, an invalid_usr alert is raised for the log record when the user name is anonymous.

Click the message to view the alert details.

View the Entity Details for an Alert

To analyze the alert and identify the log entry that corresponds to the alert:

  1. From Oracle Log Analytics, click the OMC Navigation (open menu icon) icon on the top left corner of the interface. In the OMC Navigation bar, click Alerts.

    You can view the list of alerts with details such as Severity, Message, Entity, Entity Type, Last Updated, and Duration.

  2. In the row corresponding to your alert, hover your cursor on the entity name.

    A pop up window with the entity name opens.

  3. Click the View More icon.

    A pop up window opens with details of the entity.

  4. Click the down arrow next to View Entity. Select Log Analytics.

    The Entity page opens in Oracle Log Analytics.

You can now view the details of the entity that corresponds to the alert.