Log Policy
Overview
The log policy feature in Motadata AIOps empowers you to effectively monitor and analyze log events in real-time, enabling proactive identification and resolution of potential issues in your IT infrastructure. With log policies, you can define rules and conditions to generate alerts based on log data, ensuring the smooth operation of your systems and applications.
Use-Case
Security Monitoring: Configure log policies to detect and alert on security-related events, such as failed login attempts, suspicious access patterns, or potential breaches.
Error and Exception Tracking: Create log policies to identify critical errors or exceptions occurring within your applications, enabling you to quickly respond and resolve issues before they impact users.
Compliance and Audit: Set up log policies to monitor specific compliance requirements, such as tracking access to sensitive data or ensuring adherence to regulatory guidelines.
Performance Optimization: Utilize log policies to identify performance bottlenecks, anomalies, or resource-intensive activities in your infrastructure, allowing you to optimize system performance and enhance user experience.
Default Log Alert Policies
Motadata AIOps supports Default Log Alert Policies, enhancing the platform's alerting capabilities. This feature is designed to include predefined alert policies for logs such as Malicious Activity with Black IP (Threat Feed Integration), ensuring that users receive timely notifications for critical events within their log data.
Create Log Policy
Navigation
Go to Menu, Select Settings 
. After that, Go to Policy Settings 
. Select Metric/Log/Flow policy. The list of the created policies is now displayed.
Click on 
to start creating a policy. From the panel on the left side of the screen, click on the Log tab to start creating a metric policy. The screen to create a Log Policy is now displayed.
Enter the details of the following parameters to create a Log Policy:
| Field | Description |
|---|---|
| Policy Name | Enter a unique name of the policy you want to create. |
| Tag | Enter a name to logically categorize the policy. You can quickly and easily identify a policy based on the tag assigned to it. |
Set Conditions
| Field | Description |
|---|---|
| Counter | Choose the specific counter you wish to create a policy for by selecting from the available options in the dropdown menu. This counter will be the basis for monitoring and generating alerts. |
| Aggregation | Determine the aggregation function that best suits your monitoring needs for the selected counter. This function allows you to consolidate and analyze the metric data over a defined period. |
| Operator | Select the operator that will be applied to the aggregated counter values to define the triggering condition for the alert. Different operators such as greater than, less than, equal to, and more are available to provide flexibility in defining your alert conditions. |
| Value | Specify the threshold value against which the aggregated counter values will be compared. Once the counter value meets the specified condition, an alert will be triggered, notifying you of the issue. |
| Source Filter | - Select Source Host if you want to create the policy for specific log source(s). - Select Source Type if you want to create the policy for log sources that belong to specific log types. - Select Group if you want to create the policy for log sources that belong to specific groups. - Select Everywhere if you want to create the policy for all the log sources in the system. This option is selected by default. |
| Source | Select the specific Source Host, Source Type, or Group for which you want to create the policy. This dropdown will show results based on the option you have selected in the previous option. You can leave this field blank if you have selected 'Everywhere' in the previous option. |
| Result By | Specify the grouping criteria for the aggregated values. This field allows you to define how the log data will be grouped for evaluation of the policy. |
Scenario
Suppose we want to create a log policy to trigger an alert whenever an activity by a root user is detected.
In the filter condition shown in the diagram below, we have specified the condition to identify any log messages that contain the word 'sudo', 'su', and 'root'. This helps to identify the messages indicating activity related to root user.
Once we have identified the messages(if any) indicating activity by a root user, we now configure the policy to trigger an alert whenever the count of such messages goes above 1 i.e., we raise an alert even if a single message comes up with the words 'sudo', 'su', and 'root'.
In this way, we can configure a log policy to raise an alert whenever an activity from a root user is detected.
We will discuss the other conditions for the alert to be triggered now.
| Field | Description |
|---|---|
| Alert Type | - Select Scheduled if you wish to schedule the alert evaluation at specified time(s) in the future. - Select Real Time if you wish to schedule the alert evaluation in real-time as soon as you create the policy |
| Scheduler Type | This option is available only when you select Scheduled as the Alert Type - Select Once if you want the policy evaluation to occur only once. In this case, the policy will evaluate the data from the past hour at the time of evaluation. - Select Daily if you want the policy evaluation to occur daily. The policy will evaluate the data from the past 24 hours at the time of evaluation. - Select Weekly if you want the policy evaluation to occur weekly. The policy will evaluate the data from the past 7 days at the time of evaluation. - Select Monthly if you want the policy evaluation to occur monthly. The policy will evaluate the data from the past 30 days at the time of evaluation.. |
| Start Date | This option is available only when you select Scheduled as the Alert Type. Select the date at which you want to start the policy evaluation. |
| Hours | This option is available only when you select Scheduled as the Alert Type. Select the time(s) at which you want to start the policy evaluation. |
| Days | This option is available only when you select Scheduled as the Alert Type and Weekly as the Scheduler Type. Select the day(s) at which you want to start the policy evaluation. |
| Months | This option is available only when you select Scheduled as the Alert Type and Monthly as the Scheduler Type. Select the month(s) in which you want to start the policy evaluation. |
| Dates | This option is available only when you select Scheduled as the Alert Type and Monthly as the Scheduler Type. Select the date(s) at which you want to start the policy evaluation. |
| Critical/Major/Warning | Kindly use these fields to set the severity under which the alert will be triggered. |
| Supress Action | Switch this Toggle button ON to supress the actions and notifications mapped to the policy. Once you switch this button ON and the alert is triggered, the action will be executed once and you will receive a single notification before the actions and notifications configured in the policy are supressed for the time-period specified in the field Supress Window. |
| Supress Window | Specify the time-period for which you do not wish to execute the actions and receive the notifications mapped to policy. |
Notify Team
| Field | Description |
|---|---|
| Notify | There are two ways you can populate this field: |
| Play Sound | Activate this toggle to enable sound notifications when an alert is triggered. |
| If Severity is | Choose the severity level at which the sound notification should be triggered. This option becomes visible only when the Play Sound toggle is switched ON. |
Take Action
| Field | Description |
|---|---|
| Action to be taken | Select a runbook from the dropdown to be executed when the alert is triggered. |
| Create New | Select this button to start creating a new runbook which you might want to assign to the policy you are creating. |
Select the Create Policy button to create the policy based on the details entered.
Select the Reset button to erase all the current field values, if required.