Introduction
Log-based alerts is a facility available in google cloud using which the user can be notified whenever a specific message appears in the included logs. For example, if a user wishes to know when an audit log records some particular data-access message, the user can simply create a log-based alert that will notify the user when a match with the message appears. Log-based alerts aren't a good fit always like they don't operate on excluded logs, or they can be used to derive counts from your logs.
Troubleshooting log-based alerts
Let's look at some of the common errors and how to troubleshoot them:
No matching logs are available
If the user tests the filters for a log-based alert and no logs are returned, then check for the following errors:
- You might be trying to filter on excluded logs.
- You might be trying to filter either by log buckets or for the other google cloud resources.
- Your query might be too restrictive that is, check whether your entered field names and regular expressions are correct.
Alerts aren't working.
If a user has created a log-based alert, but it isn't working as expected. Like :
-
Not sending Notifications
There is a rate limit of 20 notifications a day for each log-based alert, after which you stop receiving notifications. In the most recent notification received, look for a statement that says the notification limit has been exceeded for the day.
If the number of notifications is not what you expected, then check the configuration of the log-based alert. You might need to adjust the value for Time between notifications.
-
The alert isn't creating incidents.
On the incidents page in Cloud monitoring, filter the table by policy name. If there are no incidents, then you must check the query used in finding matching logs, field names, and regular expressions are correct. The preview logs button can be used to help validate the query.
-
Alert creating incorrect incidents
If the log query is insufficiently restrictive, then it may match more entries than expected. For this, ensure that the field names and regular expressions are correct. The preview logs button can be used to help validate the query.
Incidents aren't closing.
You can manually set the duration if the incidents aren't closing. The default period is 7 days, but you can set it to any value between 30 minutes to 7 days. The system closes incidents for log-based alerts after the configured auto-close duration that has been set.