Log Pattern Alerting

Hands-off alerting when Log Pattern volume changes.

Overview

Detecting rapid changes in Log Pattern volume yields actionable information to spot unusual pattern trends or anomalies.

2-click monitoring of log patterns provides an easy and hands-off alerting setup mode. Users can choose to be alerted if a given pattern appears (presence detector) or if a given pattern volume suddenly changes (drift detector).

Alert notifications are delivered in the notification area which is located on the top right corner of the UI. Triggered alerts are visible in the Pattern Alert tab and are easily enabled or disabled.

Monitoring a Log Pattern

From the Patterns tab, users need to click on the bell-shaped iconto access the Log Pattern Alerting menu.

Monitoring a Log Pattern from the Patterns tab

From there, users need to select either detect drift and/or detect presence.

Two kind of Log Pattern alerts are possible: drift of presence

Viewing Log Pattern alerts

One a Log Pattern was monitored, a new graph appears in the Pattern Alert tab. This graph shows the temporal evolution of the corresponding pattern volume and displays detected alerts as vertical upward red arrows.

On the top right corner of each graph, users can either un-monitor a pattern by pressing the bell-shaped icon (note that this does not remove the volume graph nor the previous alerts, it will only prevent future detections), or remove completely the given alert.

Case of a Log Pattern with a healthy condition, that is without any detected anomaly. Graph represents pattern log counts.

Case of a Log Pattern with detected presence anomalies, shown here as vertical upward arrows.

Log Pattern notifications

Every time a Log Pattern alert is triggered, a corresponding notification is delivered in the notification area, which can be accessed by clicking on the bell-shape iconlocated at the top right corner of the UI.

The bell-shaped icon has a red point when there are some unseen notifications. The point disappears when all notifications were seen. Note that it is possible to mark a seen notification as unseen by clicking on the 3-dot icon next to the alert timestamp.

Each triggered alert appears with the type of alerting (presence or drift), the timestamp at which it was triggered, the pattern description and a link to the corresponding Pattern Alert tab.

The Log Pattern Alert notification menu

Drift or presence? Which algorithm to choose ?

First, let us describe how each of those detectors operate:

• Drift: the median of pattern log counts over fixed-size, consecutive windows is observed. If this KPI value differs strongly from neighboring ones, the detector triggers a drift alert.

• Presence: the occurrence of a given log pattern is observed. If this event occurs, the detector triggers a presence alert.

As a rule of thumb, users should select:

• Drift: when log volumes peaks or troughs point to an issue. Typical scenarios include detecting brute-force, dictionary attacks on web servers, detecting that a data pipeline's expected throughput is changing unexpectedly, detecting that a constant volume of logs (for some component) is subject to variations, etc.

• Presence: when the presence of a given log pattern points to an issue. Typical scenarios include detecting unwanted error or warning patterns that require immediate escalation (for instance because they correspond to system unavailability or client impact), detecting that after remediation by engineering team a given pattern has disappeared for good and never re-appears, etc.