Creating a Log Alarm Rule

Prerequisites

• You have created a log group and log stream. For details, see Creating Log Groups and Log Streams.
• You have structured logs using the new edition of log structuring. For details, see Log Structuring.

Creation Mode

Log alarm rules can be created by referring to Creating Log Alarm Rules by Keyword.

Creating Log Alarm Rules by Keyword

1. Log in to the AOM 2.0 console.
2. In the navigation pane, choose Alarm Management > Alarm Rules.
3. In the right pane, click the Log Alarm Rules tab and click Add Log Alarm Rule.
4. On the displayed page, set alarm rule parameters by referring to Table 1.

   Table 1 Alarm condition parameters

   Category	Parameter	Description
   Basic Info	Rule Name	Name of a rule. Enter 1 to 64 characters and do not start or end with a hyphen (-) or underscore (_). Only letters, digits, hyphens, and underscores are allowed. NOTE: After an alarm rule is created, the rule name can be modified. After the modification, move the cursor over the rule name to view both new and original rule names.
   	Description	Description of the rule. Enter up to 64 characters.
   Statistical Analysis	Statistics	By keyword: applicable to scenarios where log alarm rules are created based on the counted keywords.
   	Query Condition	Log Group Name: Select a log group.
   		Log Stream Name: Select a log stream. NOTE: If a log group contains more than one log stream, you can select multiple log streams when creating a log alarm rule by keyword.
   		Query Time Range: Specify the statement query period. It is one period earlier than the current time. For example, if Query Time Range is set to one hour and the current time is 9:00, the query statement period is 8:00–9:00. The value ranges from 1 to 60 in the unit of minutes. The value ranges from 1 to 24 in the unit of hours.
   		Keywords: Enter keywords that you want AOM to monitor in logs. Exact and fuzzy matches are supported. A keyword is case-sensitive and contains up to 1024 characters.
   	Check Rule	Configure a condition that will trigger the alarm. Matching Log Events: When the number of log events that contain the configured keywords reaches the specified value, an alarm is triggered. Four comparison operators are supported: greater than (>), greater than or equal to (>=), less than (<), and less than or equal to (<=). Specify the number of queries and the number of times the condition (keyword contained in log events) must be met to trigger an alarm. The number of queries must be greater than or equal to the number of times the condition must be met. NOTE: The alarm severity can be Critical (default), Major, Minor, or Info. Number of queries: 1–10
   Advanced Settings	Query Frequency	Options: Hourly: The query is performed at the top of each hour. Daily: The query is performed at a specific time every day. Weekly: The query is performed at a specific time on a specific day every week. Custom interval: You can specify the interval from 1 minute to 60 minutes or from 1 hour to 24 hours. For example, if the current time is 9:00 and the Custom interval is set to 5 minutes, the first query is at 9:00, the second query is at 9:05, the third query is at 9:10, and so on. NOTE: When the query time range is larger than 1 hour, the interval must be at least 5 minutes. CRON: Cron expressions use the 24-hour format and are precise down to the minute. Examples: 0/10 * * * *: The query starts from 00:00 and is performed every 10 minutes at 00:00, 00:10, 00:20, 00:30, 00:40, 00:50, 01:00, and so on. For example, if the current time is 16:37, the next query is at 16:50. 0 0/5 * * *: The query starts from 00:00 and is performed every 5 hours at 00:00, 05:00, 10:00, 15:00, 20:00, and so on. For example, if the current time is 16:37, the next query is at 20:00. 0 14 * * *: The query is performed at 14:00 every day. 0 0 10 * *: The query is performed at 00:00 on the 10th day of every month.
   	Restores	Configure a policy for sending an alarm clearance notification. If alarm clearance notification is enabled and the trigger condition has not been met for the specified number of statistical periods, an alarm clearance notification will be sent. Number of last queries: 1–10
   	Notify When	Alarm triggered: Specify whether to send a notification when an alarm is triggered. If this option is enabled, a notification will be sent when the trigger condition is met. Alarm cleared: Specify whether to send a notification when an alarm is cleared. If this option is enabled, a notification will be sent when the recovery policy is met.
   	Frequency	You can select Once, Every 5 minutes, Every 10 minutes, Every 15 minutes, Every 30 minutes, Every hour, Every 3 hours, or Every 6 hours to send alarms. Once indicates that a notification is sent once an alarm is generated. Every 10 minutes indicates that the minimum interval between two notifications is 10 minutes, preventing alarm storms.
   	Alarm Action Rules	Select a desired rule from the drop-down list. If no rule is available, click Create Alarm Action Rule on the right. For details, see Creating an Alarm Action Rule.
   	Languages	Specify the language (English) in which alarms are sent.

5. Click Confirm. The alarm rule is created.