Configure anomaly detection

更新时间:
复制 MD 格式

CloudLens for OSS provides built-in alert monitoring rules that you can enable for your buckets to detect and analyze unusual activity in a timely manner.

Create an alert

  1. Log on to the Simple Log Service console.

  2. In the Log Application section, on the Cloud Service Lens tab, click CloudLens for OSS.

  3. In the left-side navigation pane, choose Anomaly Detection > Alert Management.

  4. In the list of buckets, click Create Alert Monitoring Rule for the target bucket.

  5. In the Create Alert Monitoring Rule dialog box, configure the parameters.

    1. Select a target alert monitoring rule.

      CloudLens for OSS provides built-in alert monitoring rules. For more information, see Alert monitoring rules.

    2. Configure parameters such as alert thresholds and an action policy.

      CloudLens for OSS provides a built-in action policy that sends alert notifications by email to the built-in user group for OSS insight. Before you use this action policy, you must create users and add them to this user group. For more information, see Create users and user groups.

    3. Click Confirm.

After you enable an alert rule, you can go to the Alert Management page to edit, disable, or delete the rule.

View the alert dashboard

The alert dashboard shows triggered alerts and the overall alert status.

  1. Log on to the Simple Log Service console.

  2. In the Log Application section, on the Cloud Service Lens tab, click CloudLens for OSS.

  3. In the left-side navigation pane, choose Anomaly Detection > Alert Status.

  4. View alert information.

    You can filter alerts by region and bucket at the top of the page. The Alerts Triggered in Last 24 Hours section shows active alerts, pending incidents, and configuration errors, each with a Details link. The Today's Alert Data module displays alerts by severity and day-over-day changes. The Alert Trigger Trend (Today vs. Yesterday) module compares trends over time. The Alert Severity Distribution module shows severity percentages. The Recent Incidents table lists incidents with details such as severity and status. The page also includes panels for Incident Status, Alert Assignee Distribution, Alert Channel Sending Status, and Alert Rule Configuration Errors.

Alert monitoring rules

Spike in 403, 404, 408, 499, and 4xx requests

Item

Description

Purpose

Monitors for sudden increases in 403, 404, 408, 499, and 4xx requests.

Check frequency & time range

Checks data from the previous minute every minute.

Trigger condition

Triggers an alert if the number of error requests (403, 404, 408, 499, or 4xx) in the past minute and the minute-over-minute percentage increase both exceed their specified thresholds.

Parameters

  • Number Threshold: The minimum number of error requests (403, 404, 408, 499, or 4xx) per minute for a bucket to be considered for an alert.

  • Growth Rate Threshold: The minimum minute-over-minute percentage increase in the request count for a bucket to be considered for an alert.

  • Bucket Name: The name of the bucket to monitor.

  • Action Policy: Defines how and to whom alert notifications are sent. The default is the built-in policy, sls.app.oss.builtin. You can modify this policy or create your own. For more information, see Action policies.

  • Severity: The severity level of the alert.

  • Mute Period: The period during which you do not receive repeated notifications for the same alert. For example, 1d (1 day), 2h (2 hours), or 3m (3 minutes).

  • Recovery Notification: If enabled, Log Service sends a notification when the monitored item returns to a normal state.

  • Threshold of Continuous Triggers: The number of consecutive checks for which the trigger condition must be met before an alert is triggered.

Sudden spike in internet download or upload traffic

Item

Description

Purpose

Monitors for sudden increases in internet download and upload traffic.

Check frequency & time range

Checks data from the previous minute every minute.

Trigger condition

Triggers an alert if the download or upload traffic in the past minute and the minute-over-minute percentage increase both exceed their specified thresholds.

Parameters

  • Download Threshold and Upload Threshold: The minimum download or upload traffic per minute for a bucket to be considered for an alert.

  • Growth Rate Threshold: The minimum minute-over-minute percentage increase in download or upload traffic for a bucket to be considered for an alert.

  • Bucket Name: The name of the bucket to monitor.

  • Action Policy: Defines how and to whom alert notifications are sent. The default is the built-in policy, sls.app.oss.builtin. You can modify this policy or create your own. For more information, see Action policies.

  • Severity: The severity level of the alert.

  • Mute Period: The period during which you do not receive repeated notifications for the same alert. For example, 1d (1 day), 2h (2 hours), or 3m (3 minutes).

  • Recovery Notification: If enabled, Log Service sends a notification when the monitored item returns to a normal state.

  • Threshold of Continuous Triggers: The number of consecutive checks for which the trigger condition must be met before an alert is triggered.

OSS bucket deletion alert

Item

Description

Purpose

Monitors the deletion of OSS buckets.

Check frequency & time range

Checks data from the previous minute every minute.

Trigger condition

Triggers an alert when an OSS bucket is deleted.

Parameters

  • Bucket Name: The name of the bucket to monitor.

  • Action Policy: Defines how and to whom alert notifications are sent. The default is the built-in policy, sls.app.oss.builtin. You can modify this policy or create your own. For more information, see Action policies.

  • Severity: The severity level of the alert.

  • Mute Period: The period during which you do not receive repeated notifications for the same alert. For example, 1d (1 day), 2h (2 hours), or 3m (3 minutes).

  • Recovery Notification: If enabled, Log Service sends a notification when the monitored item returns to a normal state.

  • Threshold of Continuous Triggers: The number of consecutive checks for which the trigger condition must be met before an alert is triggered.

High-frequency access IP detection

Item

Description

Purpose

Monitors high-frequency access from specific IP addresses to OSS buckets that use Standard storage.

Check frequency & time range

Checks data from the past 10 minutes every minute.

Trigger condition

Triggers an alert when a single IP address accesses a bucket too frequently.

Parameters

  • Number Threshold: The maximum number of requests from a single IP address to an OSS bucket using Standard storage within a 10-minute period before an alert is triggered.

  • Bucket Name: The name of the bucket to monitor.

  • Action Policy: Defines how and to whom alert notifications are sent. The default is the built-in policy, sls.app.oss.builtin. You can modify this policy or create your own. For more information, see Action policies.

  • Severity: The severity level of the alert.

  • Mute Period: The period during which you do not receive repeated notifications for the same alert. For example, 1d (1 day), 2h (2 hours), or 3m (3 minutes).

  • Recovery Notification: If enabled, Log Service sends a notification when the monitored item returns to a normal state.

  • Threshold of Continuous Triggers: The number of consecutive checks for which the trigger condition must be met before an alert is triggered.