[英]Log Query Alert Example
我正在為一個項目設計一個監控解決方案,並想為某些資源(例如應用程序洞察)創建一些警報規則。
如果我想設置一個日志搜索警報,我需要定義一個特定的查詢並告訴警報要做什么。
但是,我以前沒有寫過日志查詢警報,也不知道如何設置它。 目前,我已經在 Bicep 中編寫了一個日志搜索示例:
@description('Location of the resource.')
param location string
@description('Log Analytics workspace ID to associate with your Application Insights resource.')
param workspaceId string
@allowed([
0
1
2
3
4])
@description('Severity of the alert.')
param severity int = 2
resource appInsightsLogRule 'Microsoft.Insights/scheduledQueryRules@2022-06-15' = {
name: appInsightsLogRuleName
location: location
properties: {
displayName: appInsightsLogRuleName
severity: severity
enabled: true
evaluationFrequency: 'PT5M'
scopes: [
workspaceId
]
targetResourceTypes: [
'Microsoft.Insights/components'
]
windowSize: 'PT5M'
criteria: {
allOf: [
{
query: 'tbd.'
timeAggregation: 'Count'
dimensions: []
operator: 'GreaterThan'
threshold: 0
failingPeriods: {
numberOfEvaluationPeriods: 1
minFailingPeriodsToAlert: 3
}
}
]
}
autoMitigate: true
actions: {
actionGroups: [
actiongroups_team_blue
]
}
}
}
查詢目前仍然是空的,因為我不知道如何填寫這個查詢。
有人可以為 scheduledQueryAlert 或一般警報規則分享有用場景(例如 Application Insights、Network Watcher、Sentinel 等)的示例或查詢嗎? 非常感謝你!
首先,檢查parameter.json
文件以避免此類空 output 問題,並檢查給定的查詢是否有效。
參考 MSDoc ,我嘗試為日志分析工作區資源創建一個示例計划日志警報,並驗證它是否已發送到給定的 email 地址。 它工作並成功部署如下。
@description('Log Analytics workspace Resource ID.')
param sourceId string = ''
param location string = ''
param actionGroupId string = ''
resource logQueryAlert 'Microsoft.Insights/scheduledQueryRules@2018-04-16' = {
name: 'xxxxx log query alert'
location: location
properties: {
description: 'This is a sample alert'
enabled: 'true'
source: {
query: 'Event | where EventLevelName == "warning" | summarize count() by Computer' #query as per the requirement
dataSourceId: sourceId
queryType: 'ResultCount'
}
schedule: {
frequencyInMinutes: 15
timeWindowInMinutes: 60
}
action: {
'odata.type': 'Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction'
severity: '4'
aznsAction: {
actionGroup: array(actionGroupId)
emailSubject: 'xxxx Log Alert mail subject'
customWebhookPayload: '{ "alertname":"#samplealertrulename", "IncludeSearchResults":true }'
}
trigger: {
thresholdOperator: 'GreaterThan'
threshold: 1
}
}
}
}
部署成功:
Azure傳送門:
日志查詢告警:
郵件觸發成功:
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.