Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Creating a log-based alert(Log Explorer)
2.1.
Steps
2.2.
Test the log-based alert
3.
Manage log-based alerts in Monitoring
3.1.
To Navigate from Logging
3.2.
To Navigate from Monitoring
4.
Create a Log-based alert(Monitoring API)
4.1.
Steps
4.1.1.
Give a name and description
4.1.2.
Select those logs for which you want a notification
4.1.3.
Set notifications and auto-close values
4.1.4.
Specify Who all to Notify
5.
Frequently Asked Questions
5.1.
Which attribute values specify the Syslog of your cloud project?
5.2.
What does the type subfield specifies in protoPayload?
5.3.
Which method is used to create alert policies using Monitoring API?
6.
Conclusion
Last Updated: Mar 27, 2024

Configure Log-based Alerts

Introduction

Log-based alerts is a facility available in google cloud using which the user can be notified whenever a specific message appears in the included logs. For example, if a user wishes to know when an audit log records some particular data-access message, the user can simply create a log-based alert that will notify the user when a match with the message appears. Log-based alerts aren't a good fit always like they don't operate on excluded logs, or they can be used to derive counts from your logs. 

Creating a log-based alert(Log Explorer)

Log-based alerts can be created from the Logs Explorer page in the Google Cloud console. The interface guides the user to set up some essential details, which are:

Give a name and description for the alert.

  • Select the logs for which the user wants to receive notifications.
  • Set the time interval between the notifications
  • Set up a time for automatic closure of incidents

Steps

  • Select Logging, then Logs Explorer from the Google Cloud console.
  • Build a query which will match the message you want to use in your log-based alert using the Query pane.
  • Click on Create alert option, which will either be in the header of the Query results pane or in the actions menu.
  • Give a name and description of the alert in the alert details pane. The user can also include information that might help the notification recipient diagnose the problem.
  • Click on next.
  • The user can check the query as well as the results by clicking on the Preview Logs option available in the Choose logs to include in the alert pane.
  • Click on Next
  • The user can set up a minimum time between notifications of the alert is triggered multiple times. 
  • Click on Next
  • Choose either one or more notification channels for the alert, if an email notification channel is configured, then the user can select it from the list, if not, then the user can click on Manage notification channels and add an email channel. 
  • Click save

Test the log-based alert

  • If the user wants to test the log-based alert, the user needs to manually write a log entry that matches the query. Follow the below steps to write a log entry:
  • Configure the log entry below by changing the Project_id variable to your project ID.
{
  "entries": [
  {
    "logName": "projects/Project_id/logs/syslog",
    "jsonPayload": {
      "type": "Configuration change",
      "action": "Set network address",
      "result": "999.027.405.1",
    },
    "severity": "NOTICE",
    "resource": {
      "type": "generic_task",
      "labels" : {
        "project_id": "Project_id",
        "location": "us-east1",
        "namespace": "fake-task-2",
        "job": "write-log-entry",
        "task_id": "11",
      },
    },
  ],
}

 

  • Click on the logEntries.write reference page
  • Copy the above log entry
  • Do the following in the Try this API:
    • Clear the contents of the Request body field in APIs Explorer and place the above log entry here.
    • Click on Execute if the logEntries.write call is successful, then you will get an HTTP response code of 200 with an empty response body.

Once the log entry is written, the following sequence occurs:

  • The Log explorer now has the new log entry. It also triggers the alert.
  • An incident is opened in Cloud Monitoring.
  • The user will receive a notification for the Incident, and if an email notification channel is configured, then an email is also sent.

Manage log-based alerts in Monitoring

The user can view, edit, and delete the log-based alerts using the Google Cloud Console for Monitoring. The user can see the entire list of alerts policies in its Google Cloud project by doing one of the below:

To Navigate from Logging

  • Select Logging and then Logs explorer from the Google cloud console
  • Select the manage alerts option from either the header of the Query results pane or the Action menu

To Navigate from Monitoring

  • Select Monitoring from the Google Cloud Console.
  • Select Alerting.
  • The Policies pane shows a partial list of policies, to view all and enable filtering, click on See all policies.

The above steps take the user to the Monitoring Policies page, which lists all the alerting policies of the user's Cloud project. If the user wishes to restrict the alerting policies which are listed, the user can do so by adding filters, each filter has a name and value.

Create a Log-based alert(Monitoring API)

A log-based alert can be created using the monitoring API using the same information required by Logs explorer.

Steps

Give a name and description

Every alerting policy has a display name and associated documentation, along with the notifications to assist the responders. These fields are known as Alert Name and Alert Description in logs explorer. These values can be represented in the AlertPolicy structure as follows:

{
  "displayName": "Network address: invalid IPv4 value (API)",
  "documentation": {
    "content": "Log-based alert in project ${project} detected an invalid IPv4 value.",
    "mimeType": "text/markdown"
  },
  ...
}


Select those logs for which you want a notification

Every log-based alerting policy has a single condition. The user specifies the Condition by supplying a query in the Define log entries to alert the field in the logs explorer. This value is represented in the AlertPolicy structure as follows.

{ ...
  "conditions": [
    {
      "displayName": "Log match condition: invalid IP addr (API)",
      "conditionMatchedLog": {
        "filter": "log_id(\"syslog\" severity = \"NOTICE\" jsonPayload.result !~ \"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.|$)){4}$\"",
      },
    }
  ],
  "combiner": "OR",
  ...
}


The conditions field has a list of Condition structures, where each Condition has a display name and a description. The displayName gives a brief description of the Condition, and the conditionMatchedLog field's value is a LogMatch structure, and the filter field's value is the query that the user specifies in the Logs explorer.

The combiner field is used to specify how to combine the results of multiple conditions in metric-based alerting policies.

Set notifications and auto-close values

Log-based alerting policies have a minimum time between notifications which is specified using the Time between notifications menu in Logs explorer, and it is represented in the AlertPolicy structure by specifying the value in seconds for the period field of NotificationRateLimit structure embedded in an AlertStrategy structure. The default value is 7 days, after which the incidents are closed automatically. The user can select a value of their choice from the Incident autoclose duration menu. The value is specified in terms of seconds, and the minimum value is 1800 seconds.

{ ...
  "alertStrategy": {
    "notificationRateLimit": {
      "period": "300s"
    },
    "autoClose": "604800s",
  },
  ...
}


Specify Who all to Notify

Each alerting policy includes a list of all the notification channels. The user can select channels from the menu in the case of Logs Explorer. In an AlertPolicy structure, it is represented by providing a list of multiple resource names for configured NotificationChannel objects.

{ ...
  "notificationChannels": [
    "projects/PROJECT_ID/notificationChannels/CHANNEL_ID"
  ]
}


A resource name is assigned when a notification channel is created.

Frequently Asked Questions

Which attribute values specify the Syslog of your cloud project?

The logName value specifies the Syslog in your cloud project.

What does the type subfield specifies in protoPayload?

The type subfield in protoPayload tells that the particular log entry is an audit log entry.

Which method is used to create alert policies using Monitoring API?

The alertPolicies.create method is used to create alert policies using Monitoring API.

Conclusion

In this article, we have extensively discussed what log-based alerts are and how they are configured in Google Cloud.

After reading about Log-based alerts, are you not feeling excited to read/explore more articles on Google Cloud? Don't worry; Coding Ninjas has you covered. To learn about GCP certification: Google Cloud Platform, the difference between AWS, Azure & Google Cloud, and which platform is best: AWS vs. Google Cloud.

If you want to improve your skills in Data Structures and AlgorithmsCompetitive ProgrammingJavaScript, etc., you should check out our Guided path column at Coding Ninjas Studio. We at Coding Ninjas Studio organize many contests in which you can participate. You can also prepare for the contests and test your coding skills by giving the mock test series available. In case you have just started the learning process, and your dream is to crack major tech giants like Amazon, Microsoft, etc., then you should check out the most frequently asked problems and the interview experiences of your seniors that will surely help you in landing a job in your dream company. 

Do upvote if you find the blogs helpful.

Happy Learning!

Thank you image
Live masterclass