The Log Audit Service application provides built-in alert rules. You can enable the alert instances of alert rules to monitor logs in real time. This topic describes how to configure alerts.

Prerequisites

The audit feature is enabled on the Global Configurations page for related cloud services. For more information, see Configure log collection.

Background information

The Log Audit Service application provides built-in resources such as alert rules, alert policy, action policy, user group, and alert templates. You can use these built-in resources based on the following rules:
  • You can specify the built-in alert policy in an alert rule.
    Note The built-in alert rules that are provided by the Log Audit Service application are associated with the built-in alert policy. You cannot disassociate the built-in alert policy from the alert rules or associate other alert policies with the alert rules
  • You can specify the built-in action policy in the built-in action policy.
  • You can specify the built-in user group and specify a built-in alert template in the built-in action policy.

Configuration process

You can use built-in resources or custom resources to configure alerts. The following process shows how to configure alerts.

The built-in resources that are provided by Log Service can be applied to most alerting scenarios. You can use built-in resources or custom resources based on your business requirements. In this example, built-in resources are used to configure alerts.

Step 1: Create users

  1. Log on to the Log Service console.
  2. In the Log Application section, click Log Audit Service.
  3. In the left-side navigation pane, choose Audit Alert > User Management > User.
  4. Create users.
    For more information, see Create users and user groups.

Step 2: Add users to the built-in user group

  1. In the left-side navigation pane, choose Audit Alert > User Management > User Group.
  2. In the User Groups list, find the built-in user group whose ID is sls.app.audit.builtin and click Edit in the Actions column.
  3. In the Edit User Group dialog box, add the users that you created from the Available Members section to the Selected Members section. Then, click OK.

Step 3: Enable alert instances

  1. In the left-side navigation pane, choose Audit Alert > Policy Settings > Alert Rules.
  2. In the Alert Rules list, find the alert rule that you want to use and click Enable in the Actions column.
    After you enable an alert instance, Log Service monitors the Log Audit Service application in real time. To enable multiple alert instances, click Add.

    For more information about built-in alert rules, see Overview.

Related operations

Operation Description
Configure whitelists You can configure whitelists for specific alert rules. This way, alerts are not triggered by specific users, instance IDs, or IP addresses.

The whitelist configurations vary based on alert rules. For more information, see Overview.

Disable alert instances If you disable an alert instance, the status in the Status column of the alert instance changes to Not Enabled, and no more alerts are triggered based on the alert instance.

The configurations of the alert instance are not deleted. If you want to re-enable the alert instance to monitor data, you do not need to reconfigure the parameters of the alert instance.

Pause alert instances If you pause an alert instance, no alerts are triggered within a specified period of time based on the alert instance.
Resume alert instances You can resume the alert instances that are paused.
Delete alert instances If you delete an alert instance, the status in the Status column of the alert instance changes to Not Created.

The configurations of the alert instance such as the settings of an Alibaba Cloud account are deleted. If you want to re-enable the alert instance to monitor data, you must set the parameters of the alert instance again.

Upgrade alert instances If a major upgrade is released for alert rules or if additional configurations are required after alert rules are upgraded, you are prompted to upgrade alert rules. In most cases, Log Service automatically upgrades alert rules.
Initialize alerts If the assets generated during alert initialization are deleted by mistake or if the alert assets fail to be initialized for the first time, you can perform this operation to forcibly re-initialize the alert assets.
Modify the action policy that is associated with the built-in alert policy If you want to use a custom action policy, you must create the custom action policy, and then modify the action policy that is associated with the built-in alert policy on the Alert Policy page.