Automation

Triggers are queries that are run, either continually or on a schedule, and elicit an action when the query returns results. You can create triggers that execute queries and activate Actions when a matching event is identified in the query. There are several types of triggers available, and which type to use depends on certain factors. The available trigger types are: Scheduled Search, Aggregate Alert, Filter Alert, and Legacy Alert.

Alerts are triggered as data is being ingested into LogScale, and trigger the action response as soon as one or more events matches the query on the incoming data. Using alerts allows for notification when a query matches the configured search. This can be used, for example, to notify of excessive network connections, or when a specific error is identified in an ingested log file, based on the query that is executed by the alert.

Alerts can be configured to execute an action on a matching event, and throttle the action trigger if the multiple events match within a specified time window. See Throttling for more information.

Alerts should not be used for queries that contain joins or live tables. Use Scheduled searches for these types of queries.

Scheduled searches are a type of trigger. Scheduled searches are queries run at a regular interval on previously ingested and stored data. When the scheduled search returns results, one or more Actions are triggered. Unlike alerts, scheduled searches are only run according to the configured schedule which can be set on an interval from 1 minute to years.

Use alerts for events that do not happen regularly where you need instant notification. The live queries performed by alerts (either Aggregate alerts or Filter alerts) are more efficient for non-regular notification.

Scheduled searches are ideal for regularly reporting on historical data for auditing or monitoring purposes.

When a trigger is set off, it initiates an action, which could include sending someone a message about a problem on the servers, logging it to another system, or performing some other action. See Actions for more information.

It is possible to integrate the LogScale trigger system with security information and event management tools, or security orchestration, automation, and response tools. These systems can, for example, be used to notify your staff and allow for more detailed analysis of server security. For more information, see Integrations.