Alerts

Security Requirements and Controls

Alerts use live-queries that run continuously, trigger one or more actions when the query returns a result. Using alerts enables automation for notifying analysts and administrators through different integrations such as email or forward to another repo. This means you don't have to rely on a routine of checking LogScale and executing queries manually or programmatically and can detect problems as soon as they occur.

The alert types that are available:

  • Standard Alerts are triggered by query that generates a result set. If the query is not already an aggregate query result, tail(200) is appended to the query to make it an aggregate query. Aggregate queries associated with a standard alert are run as live queries, and when the result set is executed and generates results, these are fed to the configured actions.

    Actions are triggered for the combined result set.

The attributes of the two alert types can be compared using the following table:

Feature Standard Alerts  
Supports aggregates Yes  
Sends aggregate results to Actions Yes No
Supports joins No, see warnings with live joins  
Needs search window Yes  
Triggered by Aggregate result  
Action invocation Sequentially  
Can be throttled Yes  
Can be used in packages Yes Yes

Alert Activities

Alerts can be managed using the following steps and procedures:

  • Creating Alerts

    Alerts can be created through the User Interface.

  • Setting Alert Throttle Period

    When creating standard alerts, you can keep them from triggering multiple times in a short period of time by setting a throttle period. This feature is also supported in Filter Alerts starting from version 1.129.

  • Managing Alerts

    The User Interface offers many ways to manage alerts that you've created.

  • Diagnosing Alerts

    Using alerts may sometimes present errors and warnings to handle.

  • Integrations

    As part of the LogScale Alert system, you may integrate it with a security monitoring system. These systems can be used to notify your staff and allow for more detailed analysis of server security.