告警系统对接函数计算,实现告警自动化处理的实践方案-Simple Log Service(SLS)-阿里云帮助中心

After you create an alerting rule for logs, you can use Function Compute to receive alert notifications and automatically handle alert events. For example, a company that uses OSS requires that the Access Control Lists (ACLs) of all its buckets must be private. If an employee sets a bucket's ACL to public-read or public-read-write when creating or managing the bucket, the alerting system must quickly detect the issue and automatically remediate it.

How it works

This topic uses OSS audit logs from ActionTrail as an example. When a bucket's ACL is set to public-read or public-read-write, Log Service sends an alert notification. Function Compute receives the notification and automatically invokes a function to modify the bucket's ACL. The workflow is as follows:

Collect OSS audit logs: Enable the log collection feature for cloud products in Log Audit. ActionTrail logs, including OSS audit logs, are then sent to Log Service.
Configure a service and function in Function Compute: Create a service and a function in Function Compute.
Configure an alert in Log Service: Configure an alerting rule and a notification target to monitor PutBucket events in OSS audit logs and send alert notifications to Function Compute.
Verify the handling result: After Function Compute receives an alert notification, it invokes a function that checks the bucket's ACL and modifies it if the ACL is not set to private. You can then view the Function Compute invocation logs and the ACL of the OSS bucket.

Permission requirements

If you are a RAM user, you must have the following permissions. For more information, see Grant permissions to a RAM user.

{
  "Statement": [{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
      "StringEquals": {
        "ram:ServiceName": "alert.log.aliyuncs.com"
      }
    }
  }],
  "Version": "1"
}

1. Collect OSS audit logs

In Log Audit, enable log collection for ActionTrail to gather OSS audit logs. For more information, see Configure Log Audit to collect ActionTrail logs.

2. Create a service and function

2.1 Create a service

Log on to the Function Compute console and create a service. For more information, see Create a service.

In the left-side navigation pane, click Services & Functions, and then click Create Service. In the dialog box, set a Name for the service (for example, sample), confirm the Region, add an optional Description, configure the Log Feature, and then click OK.

2.2 Create a function

On the Services page, click your target service, and then on the Functions page, click Create Function.
On the Create Function page, set the key parameters as described below, leave the others at their default values, and then click Create. For more information, see Create a function.
- The function name must start with sls-ops-, for example, sls-ops-test.
- Set Handler Type to Event Handler.
- This example obtains the AccessKey ID and AccessKey Secret from environment variables. In this example, accessKeyId and accessKeySecret are the AccessKey of an Alibaba Cloud account. You must configure the environment variables. For more information, see Configure environment variables.
Select Create with Custom Runtime. Set Runtime to Node.js 16 and Code Upload Method to Use Sample Code. Set Startup Command to npm run start and Listening Port to 9000.

In the Environment Variables section, add two environment variables. Set the keys to ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET, and set the values to your AccessKey ID and AccessKey Secret, respectively. Then, click Create.

After the function is created, replace the content of index.js with the following code. Testing is not required after deployment.

Note

In index.js, you can call the putBucketACL method to modify the bucket ACL settings. The function obtains the required region and bucket parameters by parsing the query results that Log Service returns when an alert is triggered. These results are typically available in alert.fire_results. For more information about alert parameters, see Content template variables (New).

const OSS = require('ali-oss')
const accessKeyId = process.env.ALIBABA_CLOUD_ACCESS_KEY_ID
const accessKeySecret = process.env.ALIBABA_CLOUD_ACCESS_KEY_SECRET
async function checkBucketAcl(region, bucket) {
  const client = new OSS({
    region: `oss-${region}`,
    accessKeyId,
    accessKeySecret,
    bucket: bucket
  })
  const result = await client.getBucketACL(bucket)
  if (result.acl !== 'private') {
    await client.putBucketACL(bucket, 'private')
  }
}
exports.handler = async (event, context, callback) => {
  const alert = JSON.parse(event.toString())
  for (const result of alert.fire_results) {
    const { region, bucket } = result
    await checkBucketAcl(region, bucket)
  }
  callback(null, '')
}

3. Create an alert

3.1 Create an alerting rule

Log on to the Log Service console. In the Project list, click the target Project.
ActionTrail automatically creates a Logstore named actiontrail_<trail_name>. Click the target Logstore, enter the following query statement, and click Query/Analyze. If the query is successful, click Save as Alert.
Creating a new bucket or changing a bucket's ACL generates a PutBucket audit log. You can use the following query statement to retrieve PutBucket logs and extract the bucket region and name. Function Compute then uses this information to check and update the OSS bucket ACL.
```
event.ServiceName: Oss
AND event.eventName: PutBucket |
SELECT
  "event.acsRegion" AS region,
  split("event.eventSource", '.') [1] AS bucket
```
On the Alerting Rule panel, configure the following parameters. For more information about the parameters, see Create an alerting rule.

Configure the alerting rule: set Rule Name to Bucket ACL Alert and Check Interval to a fixed interval of 15 minutes. The Query Statement is automatically populated with the query from the previous step. For Trigger Condition, specify that a Medium-severity alert is triggered if data exists. For Alert Policy, select Simple Mode. In the action group, set Channel to Function Compute (FC), Region to China (Hangzhou), and Function to sls-ops-test. For Content Template, use the built-in SLS content template. Then, click OK.

3.2 View alert history

After the alerting rule is created, modifying a bucket's ACL or creating a new bucket triggers an alert. You can view triggered alerts in the Alert History chart on the Alert Center page. The Alert History page displays alert execution records in a table, including columns such as Alert ID, Alert Name, Execution ID, Execution Time, Trigger Condition, Execution Result, Alert Fired, and Details. The Trigger Condition column shows the trigger expression (for example, Count:[1] > 0), the Execution Result column shows the status, the Alert Fired column indicates if the condition was met (true or false), and the Details column provides specific information.

4. Verify the handling result

When Function Compute receives an alert notification, it invokes a function to check and modify the ACL of the affected bucket. If the ACL is public-read or public-read-write, Function Compute automatically changes it to private.

4.1 View Function Compute invocation logs

Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions. From the Services page, select your target service. Then, on the Functions page, select your target function to navigate to its Logs page and view the invocation logs. For more information, see View invocation logs.

In the Invocations list, you can find an invocation record with an execution result of Success (asynchronous invocation) and the version LATEST. This indicates that the function was successfully triggered and executed.

4.2 View the OSS bucket ACL

Log on to the OSS console and navigate to the Permissions page of the target bucket to view its ACL. The function invoked by Function Compute changed the bucket's ACL to private.