Defining a Search Monitor

XpoLog search monitor runs automatically by the system at scheduled intervals and execute a search query as its monitoring rule.

The search monitor can be defined directly from the search console as well.

The following is a step by step flow to add a search monitor with alerts:

1. In XpoLog Manager, on the left navigation panel select the Monitors and Tasks > Monitors menu item.

2. Click Add Monitor > Add New Search Monitor - Name the Monitor, and add the search query (simple or complex) you wish the monitor to execute, and optionally include a description.

3. Risk - (optional) - Select a "risk" that the monitor represents from Low to Critical. A risk can later on be used for visualization and alerts analysis.

4. Schedule - configure the frequency that you wish for this monitor - based on the configured frequency the monitor will scan the log. 

   • Never will turn off the scheduler and will not execute the monitor.

   • Daily will run every day based on time interval (Repeat Every) or at a specific hour (Daily At).

   • Weekly will run on the specified day(s) based on time interval (Repeat Every) or at a specific hour (Daily At).

   • Monthly will run on the specified month(s) on a given day based on time interval (Repeat Every) or at a specific hour (Daily At).
     
     

   • Time Frame: In the time frame section you can define whether it will run on new data only on each execution (default - XpoLog keeps reference to the last scanned point), or to always run on a specified, "fixed", time frame on each execution.
     Optional - Monitor Execution Delay - upon monitor scheduled run, specify the number of extra time in seconds to wait before actual execution will take place (to allow some extra time for data processing before actual run).

5. Failure Alerts - 

   1. Alert Policy:

      • Failure - determines the fail criteria of a monitor. By default if a single record was found matched to the configured rule, it will be considered as a failure and the alerts will be triggered. 

      • Once triggered, execute failure actions only after - after a failure, alerts will be sent again only after a specified number of additional failure without a success between.

      • Trigger Alerts:

        • Once per execution: By default the monitor executes the alerts on the latest record that was matched per each execution. This is the recommended option - the last event only. 

        • Each event per execution - the alerts will be triggered on each log record that was matched per each execution (not recommended since the number of records that may be found matched is not limited and the alert will be sent per each one, limited to 100).

   2. Add new Alert - see details on available Alerts.

6. Positive Alerts - execute a positive alert as an indication that a specified time has passed since last failure.

7. Log Monitor Execution - by enabling this option, XpoLog will automatically store detailed logs about the monitor's executions and triggered alert, allowing a visual view of the monitors behavior - executions, alerts, and risk level over time.

8. Security - configure security (users/groups) that are associated to the monitor.

9. AppTags - select the AppTags that are associated to the monitor.

10. Save it.

It will run automatically based on the frequency you configured and it is also possible to execute a monitor manually if needed by right clicking it and selecting the execute option or via the console's Actions menu.

Open