Alert Logic Log Manager alert rules

Alert Logic recommends you create two types of alert rules for Log Manager to receive important notifications. Collection alert rules send you an email alert when Alert Logic does not receive log messages during a configured time frame. Correlation alert rules send you an email alert when Alert Logic receives a configured amount of similar log message types during a configured time frame.

Access Log Management alert rules

To access the Log Manager Alert Rules page, click CONFIGURATION, click Log Management, and then click Alert Rules.

Work with collection alert rules

Create and apply a collection alert rule

You can create a collection alert in Alert Logic Log Manager to receive notification if collection stops for any reason.

You must first create a collection alert and then apply the alert to the source.

To create a collection alert:

  1. Navigate to the Log Management Alert Rules page, and then click Collection.
  2. Click the Add icon ().
  3. In Collection Alert Name, type a descriptive name.
  4. In Time Before Alert is Triggered, type a number value in minutes.
  5. In Time Between Alert Occurrences, type a number value in minutes.

You cannot specify a number value greater than 3,600.

  1. In Email Addresses, type an email address. To add multiple email addresses, separate each entry with a comma.
  1. Select Send Alert Once to receive alerts only once.
  2. Click Save

After you create the collection alert, you must apply the alert to a log source.

To apply the collection alert to a log source:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the deployment tile you want to modify.
  3. In the left navigation area, click Hosts and Sources.
  4. Click the Sources tab.
  5. In Select Filters, type or select a Source Type (you may need to scroll down the list to find the source types) and then click Apply Filters.

  1. Click the gear icon ().
  2. Select Mass Edit.
  3. In Apply changes to, select All Sources for all sources or Only Selected Sources to choose an individual log source from the table.
  4. In Replace Collection Alerts, select your collection alert.
  1. Click Save.

Update a collection alert rule

If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.

To update a collection alert rule:

  1. Navigate to the Log Management Alert Rules page, and then click Collection.
  2. Click the pencil icon ( ) on the alert rule you want to update.
  3. In Collection Alert Name, type a descriptive name.
  4. In Time Before Alert is Triggered, type a number value and select an interval.
  5. In Time Between Alert Occurrences, type a numeric value in minutes.

You cannot specify a numeric value greater than 3,600.

  1. In Email Addresses, type an email address. To add multiple email addresses, separate each entry with a comma.
  1. Select Send Alert Once to receive alerts only once.
  2. Click Update.

Delete a collection alert rule

If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.

To delete a collection alert rule:

  1. Navigate to the Log Management Alert Rules page, and then click Collection.
  2. Click the trash icon ( ) on the alert rule you want to delete.
  3. Click Delete.

Work with Correlation alert rules

Create a correlation alert rule

To create a correlation alert rule:

  1. Navigate to the Log Management Alert Rules page, and then click Correlation.
  2. Click the Add icon ().
  3. In Correlation Name, type a descriptive name.
  4. In Time Between Alert Occurrences, type a numeric value in minutes.

You must specify a numeric value between 10 and 3,600.

  1. Select an option for Trigger an alert when the message type is.
    • To trigger an alert when the message type is in the select message types, select in the selected message types.
    • To trigger an alert when the message type is not in the select message types, select NOT in the selected message types.
  2. Select Include message text to include the message text, and then in Message Types, select one or more options.
  3. In the Email Addresses field, select from the list of contacts you want to receive alerts.
  4. Click Save.

Update a correlation alert rule

If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.

To update a correlation alert rule:

  1. Navigate to the Log Management Alert Rules page, and then click Correlation.
  2. Click the pencil icon ( ) on the alert rule you want to update.
  3. In Name, type a descriptive name.
  4. In Time Between Alert Occurrences, type a number value in minutes.

You cannot specify a numeric value greater than 3,600.

  1. Select an option for Trigger an alert when the message type is.

    • To trigger an alert when the message type is in the select message types, select in the selected message types.
    • To trigger an alert when the message type is not in the select message types, select NOT in the selected message types.

  2. Select Include message text to include the message text, and then in Message Types, select one or more options.
  3. In the Email Addresses field, select from the list of contacts you want to receive alerts.

  4. Click Update.

Delete a correlation alert rule

If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.

To delete a correlation alert rule:

  1. Navigate to the Log Management Alert Rules page, and then click Correlation.
  2. Click the trash icon ( ) on the correlation rule you want to delete.
  3. Click Delete.

Related topics