# Log Rule A robust Infraon Infinity solution must monitor certain events in real-time to facilitate swift responses to security threats. Log rules are essential components that define how log data is processed, examined, and acted upon within logging and monitoring systems. {% hint style="info" %} **Note:** Ensure you have the appropriate permissions before creating or modifying alerts. {% endhint %} Infraon's alerting system allows you to set up rules that continuously scan log data for specific conditions. When these conditions are met, the system triggers predefined alerts. In essence, rules are predetermined scenarios that, when matched, initiate an alarm, event, or configured action. Each rule consists of three key elements: * A specific query to be executed * Parameters that determine what constitutes a rule match * A set of alerts to be triggered when a match occurs ## **Rule Types:** Infraon Infinity allows you to set up rules that can trigger alarms or send notifications to users through email or SMS. These rules are based on specific criteria you define, such as error rate thresholds or particular log patterns. The system offers two main types of rules: ### **Custom Query** Custom query rules use tailored search parameters to identify alert-worthy conditions in your log data. To set up a custom query rule: * Formulate a query that filters the log data you want to monitor * Design the query to capture the exact conditions that should trigger an alert * Specify how often the system should run this query to check for matching log entries (e.g., every 5 minutes) ### **Threshold Rule** Activates when defined thresholds are reached. Select the metric or data point for monitoring. For instance, you could track the number of error logs or the average response time. Establish the alert triggers, such as limits for high error frequencies or unexpected data surges. * Trigger Condition: For example, if the error tally reaches over 100 in 5 minutes. * Alert Frequency: The regularity of condition assessment (e.g., every 5 minutes). ## **Instructions to add a New Log rule**  * Go to Infraon configuration -> IT Operations -> Rules and click on the ‘New Rule’ button at the top right corner and Add Log rule option to continue.  * Refer to the table below to add the details respectively. **Add Log Rule** | Details | **Label** | **Action/ Description** | **Example** | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | | **Log Rule** | | | | Name | Add a name to the Log rule | | | Description | Add a brief description of the Log rule | | | Status | Activate the rule by switching the toggle button on. The rule will only function when its status is on. | | | Rule Type | Select the respective rule type from the below call-out boxes. | Custom query and Threshold Count. | | **Criteria** | | | | Index Pattern/ Data View | Select the type of data to be entered. | | | Value | Input the relevant value in the Multi-Index field to specify which index the rule should be applied to. | Windows\*, or windows-2024.09.12, windows-2024.09.13 | | Custom Filters | Add custom filters to define specific conditions for your logs or metrics. | For example, you might want to filter logs where the status\_code is 500 and the response\_time exceeds 2s. | | Check Every | This will run periodically and detect alerts within the specific time frame. | 2 seconds/minutes | | Look Back | Add time to the look-back period to prevent missed alerts. | 3 seconds/minutes | | Group By | Add the field by which you want to group. This could be any field from your logs or metrics. | For example, you might group by service\_name to get separate alerts for each service. | | Count | Add the respective count from the drop-down box below. | Hostname, IP Address, Message, Agent Name, Host ID. | | Threshold | Set a limit for how many times a certain event can happen. This limit is based on the group of users you're looking at. | 2,3,4…. Etc. | | **Action** | | | | Severity | Choose the appropriate urgency level for the event this rule will generate from the drop-down box below. | Critical, Major, and Minor are the highest and Minor the lowest. | | Alarm/ Event Message | Enter a personalized notification text that will appear in the event when the rule is triggered. | | Once the details have been added, click “Save” to confirm the rule configurations.