You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/user/alerting/alerting-getting-started.asciidoc
+16-86Lines changed: 16 additions & 86 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ image::images/alerting-overview.png[Rules and Connectors UI]
11
11
12
12
[IMPORTANT]
13
13
==============================================
14
-
To make sure you can access alerting and actions, see the <<alerting-setup-prerequisites, setup and pre-requisites>> section.
14
+
To make sure you can access alerting and actions, see the <<alerting-prerequisites, setup and pre-requisites>> section.
15
15
==============================================
16
16
17
17
[float]
@@ -22,15 +22,18 @@ Actions typically involve interaction with {kib} services or third party integra
22
22
This section describes all of these elements and how they operate together.
23
23
24
24
[float]
25
-
=== What is a rule?
25
+
=== Rules
26
26
27
27
A rule specifies a background task that runs on the {kib} server to check for specific conditions. It consists of three main parts:
28
28
29
29
* *Conditions*: what needs to be detected?
30
30
* *Schedule*: when/how often should detection checks run?
31
31
* *Actions*: what happens when a condition is detected?
32
32
33
-
For example, when monitoring a set of servers, a rule might check for average CPU usage > 0.9 on each server for the last two minutes (condition), checked every minute (schedule), sending a warning email message via SMTP with subject `CPU on {{server}} is high` (action).
33
+
For example, when monitoring a set of servers, a rule might:
34
+
* Check for average CPU usage > 0.9 on each server for the last two minutes (condition).
35
+
* Check every minute (schedule).
36
+
* Send a warning email message via SMTP with subject `CPU on {{server}} is high` (action).
34
37
35
38
image::images/what-is-a-rule.svg[Three components of a rule]
36
39
@@ -40,7 +43,7 @@ The following sections describe each part of the rule in more detail.
40
43
[[alerting-concepts-conditions]]
41
44
==== Conditions
42
45
43
-
Under the hood, {kib} rules detect conditions by running a javascript function on the {kib} server, which gives it the flexibility to support a wide range of conditions, anything from the results of a simple {es} query to heavy computations involving data from multiple sources or external systems.
46
+
Under the hood, {kib} rules detect conditions by running a Javascript function on the {kib} server, which gives it the flexibility to support a wide range of conditions, anything from the results of a simple {es} query to heavy computations involving data from multiple sources or external systems.
44
47
45
48
These conditions are packaged and exposed as *rule types*. A rule type hides the underlying details of the condition, and exposes a set of parameters
46
49
to control the details of the conditions to detect.
@@ -68,22 +71,22 @@ Actions are invocations of connectors, which allow interaction with {kib} servic
68
71
69
72
When defining actions in a rule, you specify:
70
73
71
-
* the *connector type*: the type of service or integration to use
72
-
* the connection for that type by referencing a <<alerting-concepts-connectors, connector>>
73
-
* a mapping of rule values to properties exposed for that type of action
74
+
* The *connector type*: the type of service or integration to use
75
+
* The connection for that type by referencing a <<alerting-concepts-connectors, connector>>
76
+
* A mapping of rule values to properties exposed for that type of action
74
77
75
78
The result is a template: all the parameters needed to invoke a service are supplied except for specific values that are only known at the time the rule condition is detected.
76
79
77
80
In the server monitoring example, the `email` connector type is used, and `server` is mapped to the body of the email, using the template string `CPU on {{server}} is high`.
78
81
79
-
When the rule detects the condition, it creates an <<alerting-concepts-alert-instances, alert>> containing the details of the condition, renders the template with these details such as server name, and executes the action on the {kib} server by invoking the `email` connector type.
82
+
When the rule detects the condition, it creates an <<alerting-concepts-alerts, alert>> containing the details of the condition, renders the template with these details such as server name, and executes the action on the {kib} server by invoking the `email` connector type.
80
83
81
84
image::images/what-is-an-action.svg[Actions are like templates that are rendered when an alert detects a condition]
82
85
83
86
See <<action-types>> for details on the types of connectors provided by {kib}.
84
87
85
88
[float]
86
-
[[alerting-concepts-alert-instances]]
89
+
[[alerting-concepts-alerts]]
87
90
=== Alerts
88
91
89
92
When checking for a condition, a rule might identify multiple occurrences of the condition. {kib} tracks each of these *alerts* separately and takes an action per alert.
@@ -92,22 +95,6 @@ Using the server monitoring example, each server with average CPU > 0.9 is track
92
95
93
96
image::images/alerts.svg[{kib} tracks each detected condition as an alert and takes action on each alert]
Since actions are executed per alert, a rule can end up generating a large number of actions. Take the following example where a rule is monitoring three servers every minute for CPU usage > 0.9:
100
-
101
-
* Minute 1: server X123 > 0.9. *One email* is sent for server X123.
102
-
* Minute 2: X123 and Y456 > 0.9. *Two emails* are sent, one for X123 and one for Y456.
103
-
* Minute 3: X123, Y456, Z789 > 0.9. *Three emails* are sent, one for each of X123, Y456, Z789.
104
-
105
-
In the above example, three emails are sent for server X123 in the span of 3 minutes for the same rule. Often it's desirable to suppress frequent re-notification. Operations like muting and throttling can be applied at the alert level. If we set the rule re-notify interval to 5 minutes, we reduce noise by only getting emails for new servers that exceed the threshold:
106
-
107
-
* Minute 1: server X123 > 0.9. *One email* is sent for server X123.
108
-
* Minute 2: X123 and Y456 > 0.9. *One email* is sent for Y456.
109
-
* Minute 3: X123, Y456, Z789 > 0.9. *One email* is sent for Z789.
110
-
111
98
[float]
112
99
[[alerting-concepts-connectors]]
113
100
=== Connectors
@@ -120,7 +107,7 @@ Rather than repeatedly entering connection information and credentials for each
120
107
image::images/rule-concepts-connectors.svg[Connectors provide a central place to store service connection settings]
121
108
122
109
[float]
123
-
=== Summary
110
+
== Putting it all together
124
111
125
112
A *rule* consists of conditions, *actions*, and a schedule. When conditions are met, *alerts* are created that render *actions* and invoke them. To make action setup and update easier, actions use *connectors* that centralize the information used to connect with {kib} services and third-party integrations. The following example ties these concepts together:
126
113
@@ -131,7 +118,6 @@ image::images/rule-concepts-summary.svg[Rules, connectors, alerts and actions wo
131
118
. {kib} invokes the actions, sending them to a third party *integration* like an email service.
132
119
. If the third party integration has connection parameters or credentials, {kib} will fetch these from the *connector* referenced in the action.
133
120
134
-
135
121
[float]
136
122
[[alerting-concepts-differences]]
137
123
== Differences from Watcher
@@ -152,63 +138,7 @@ Pre-packaged *rule types* simplify setup and hide the details of complex, domain
152
138
153
139
[float]
154
140
[[alerting-setup-prerequisites]]
155
-
== Setup and prerequisites
156
-
157
-
If you are using an *on-premises* Elastic Stack deployment:
158
-
159
-
* In the kibana.yml configuration file, add the <<general-alert-action-settings,`xpack.encryptedSavedObjects.encryptionKey`>> setting.
160
-
* For emails to have a footer with a link back to {kib}, set the <<server-publicBaseUrl, `server.publicBaseUrl`>> configuration setting.
161
-
162
-
If you are using an *on-premises* Elastic Stack deployment with <<using-kibana-with-security, *security*>>:
163
-
164
-
* You must enable Transport Layer Security (TLS) for communication <<configuring-tls-kib-es, between {es} and {kib}>>. {kib} alerting uses <<api-keys, API keys>> to secure background rule checks and actions, and API keys require {ref}/configuring-tls.html#tls-http[TLS on the HTTP interface]. A proxy will not suffice.
165
-
166
-
[float]
167
-
[[alerting-setup-production]]
168
-
== Production considerations and scaling guidance
169
-
170
-
When relying on alerting and actions as mission critical services, make sure you follow the <<alerting-production-considerations,Alerting production considerations>>.
171
-
172
-
See <<alerting-scaling-guidance>> for more information on the scalability of {kib} alerting.
To access alerting in a space, a user must have access to one of the following features:
179
-
180
-
* Alerting
181
-
* <<xpack-apm,*APM*>>
182
-
* <<logs-app,*Logs*>>
183
-
* <<xpack-ml,*{ml-cap}*>>
184
-
* <<metrics-app,*Metrics*>>
185
-
* <<xpack-siem,*Security*>>
186
-
* <<uptime-app,*Uptime*>>
187
-
188
-
See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to these features.
189
-
Also note that a user will need +read+ privileges for the *Actions and Connectors* feature to attach actions to a rule or to edit a rule that has an action attached to it.
190
-
191
-
[float]
192
-
[[alerting-spaces]]
193
-
=== Space isolation
194
-
195
-
Rules and connectors are isolated to the {kib} space in which they were created. A rule or connector created in one space will not be visible in another.
196
-
197
-
[float]
198
-
[[alerting-authorization]]
199
-
=== Authorization
200
-
201
-
Rules, including all background detection and the actions they generate are authorized using an <<api-keys, API key>> associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges at that moment in time. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
202
-
203
-
[IMPORTANT]
204
-
==============================================
205
-
If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.
206
-
==============================================
207
-
208
-
[float]
209
-
[[alerting-restricting-actions]]
210
-
=== Restricting actions
211
-
212
-
For security reasons you may wish to limit the extent to which {kib} can connect to external services. <<action-settings>> allows you to disable certain <<action-types>> and allowlist the hostnames that {kib} can connect with.
The Alerting feature is automatically enabled in {kib}, but might require some additional configuration.
9
+
10
+
[float]
11
+
[[alerting-prerequisites]]
12
+
=== Prerequisites
13
+
If you are using an *on-premises* Elastic Stack deployment:
14
+
15
+
* In the kibana.yml configuration file, add the <<general-alert-action-settings,`xpack.encryptedSavedObjects.encryptionKey`>> setting.
16
+
* For emails to have a footer with a link back to {kib}, set the <<server-publicBaseUrl, `server.publicBaseUrl`>> configuration setting.
17
+
18
+
If you are using an *on-premises* Elastic Stack deployment with <<using-kibana-with-security, *security*>>:
19
+
20
+
* You must enable Transport Layer Security (TLS) for communication <<configuring-tls-kib-es, between {es} and {kib}>>. {kib} alerting uses <<api-keys, API keys>> to secure background rule checks and actions, and API keys require {ref}/configuring-tls.html#tls-http[TLS on the HTTP interface]. A proxy will not suffice.
21
+
22
+
[float]
23
+
[[alerting-setup-production]]
24
+
=== Production considerations and scaling guidance
25
+
26
+
When relying on alerting and actions as mission critical services, make sure you follow the <<alerting-production-considerations,Alerting production considerations>>.
27
+
28
+
See <<alerting-scaling-guidance>> for more information on the scalability of {kib} alerting.
29
+
30
+
[float]
31
+
[[alerting-security]]
32
+
=== Security
33
+
34
+
To access alerting in a space, a user must have access to one of the following features:
35
+
36
+
* Alerting
37
+
* <<xpack-apm,*APM*>>
38
+
* <<logs-app,*Logs*>>
39
+
* <<xpack-ml,*{ml-cap}*>>
40
+
* <<metrics-app,*Metrics*>>
41
+
* <<xpack-siem,*Security*>>
42
+
* <<uptime-app,*Uptime*>>
43
+
44
+
See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to these features.
45
+
Also note that a user will need +read+ privileges for the *Actions and Connectors* feature to attach actions to a rule or to edit a rule that has an action attached to it.
46
+
47
+
[float]
48
+
[[alerting-restricting-actions]]
49
+
==== Restrict actions
50
+
51
+
For security reasons you may wish to limit the extent to which {kib} can connect to external services. <<action-settings>> allows you to disable certain <<action-types>> and allowlist the hostnames that {kib} can connect with.
52
+
53
+
[float]
54
+
[[alerting-spaces]]
55
+
=== Space isolation
56
+
57
+
Rules and connectors are isolated to the {kib} space in which they were created. A rule or connector created in one space will not be visible in another.
58
+
59
+
[float]
60
+
[[alerting-authorization]]
61
+
=== Authorization
62
+
63
+
Rules, including all background detection and the actions they generate are authorized using an <<api-keys, API key>> associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges at that moment in time. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
64
+
65
+
[IMPORTANT]
66
+
==============================================
67
+
If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.
Copy file name to clipboardExpand all lines: docs/user/alerting/defining-rules.asciidoc
+19Lines changed: 19 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,6 +32,25 @@ Notify:: This value limits how often actions are repeated when an alert rem
32
32
- **Every time alert is active**: Actions are repeated when an alert remains active across checks.
33
33
- **On a custom action interval**: Actions are suppressed for the throttle interval, but repeat when an alert remains active across checks for a duration longer than the throttle interval.
Since actions are executed per alert, a rule can end up generating a large number of actions. Take the following example where a rule is monitoring three servers every minute for CPU usage > 0.9, and the rule is set to notify **Every time alert is active**:
40
+
41
+
* Minute 1: server X123 > 0.9. *One email* is sent for server X123.
42
+
* Minute 2: X123 and Y456 > 0.9. *Two emails* are sent, one for X123 and one for Y456.
43
+
* Minute 3: X123, Y456, Z789 > 0.9. *Three emails* are sent, one for each of X123, Y456, Z789.
44
+
45
+
In the above example, three emails are sent for server X123 in the span of 3 minutes for the same rule. Often, it's desirable to suppress these re-notifications. If you set the rule **Notify** setting to **On a custom action interval** with an interval of 5 minutes, you reduce noise by only getting emails every 5 minutes for servers that continue to exceed the threshold:
46
+
47
+
* Minute 1: server X123 > 0.9. *One email* is sent for server X123.
48
+
* Minute 2: X123 and Y456 > 0.9. *One email* is sent for Y456.
49
+
* Minute 3: X123, Y456, Z789 > 0.9. *One email* is sent for Z789.
50
+
51
+
To get notified **only once** when a server exceeds the threshold, you can set the rule's **Notify** setting to **Only on status change**.
Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*.
21
21
When:: This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used, and an aggregation field is not necessary.
22
-
Over/Grouped Over:: This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an <<alerting-concepts-alert-instances, alert>> will be created for each group when it exceeds the threshold. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked.
22
+
Over/Grouped Over:: This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an <<alerting-concepts-alerts, alert>> will be created for each group when it exceeds the threshold. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked.
23
23
Threshold:: This clause defines a threshold value and a comparison operator (one of `is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The result of the aggregation is compared to this threshold.
24
24
Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be to a value higher than the *check every* value in the <<defining-alerts-general-details, general rule details>>, to avoid gaps in detection.
0 commit comments