Sysdig Documentation

Event Alerts

Monitor occurrences of specific events, and alert if the total number of occurrences violates a threshold. Useful for alerting on container, orchestration, and service events like restarts and deployments.

384336585.png

Defining a Metric Alert

Guidelines

  • Set a unique name and description: Set a meaningful name and description that help recipients easily identify the alert.

  • Severity: Set a severity level for your alert. You can also view and sort events in the dashboard and explore UI as well. The Priority: High, Medium, Low,andInfo are reflected in the Events list, where you can sort by the severity of the Event/Alert. You can use severity as a criterion when creating event and alerts, for example: if there are more than 10 high severity events, notify.

  • Source Tag: Supported source tags are Kuberentes, Docker, and Containerd.

  • Specify multiple segments: Selecting a single segment might not always supply enough information to troubleshoot. Enrich the selected entity with related information by adding additional related segments. Enter hierarchical entities so you have the bottom-down picture of what went wrong and where. For example, specifying a Kubernetes Cluster alone does not provide the context necessary to troubleshoot. In order to narrow down the issue, add further contextual information, such as Kubernetes Namespace, Kubernetes Deployment, and so on.

Specify Event

  1. Specify the name, a tag or description of an event.

    384336573.png
  2. Specify a Source Tag.

Configure Scope

Filter the environment on which this alert will apply. Use advanced operators to include, exclude, or pattern-match groups, tags, and entities. You can also create alerts directly from Explore and Dashboards for automatically populating this scope.

384336567.png

In this example, failing a liveness probe in the agent-process-whitelist-cluster cluster triggers an alert.

Configure Trigger

Define the threshold and time window for assessing the alert condition. Single Alert fires an alert for your entire scope, while Multiple Alert fires if any or every segment breach the threshold at once.

384336579.png

If the number of events triggered in the monitored entity is greater than 5 for the last 10 minute, recipients will be notified through the selected channel.