WEBVTT 0:00:01.580000 --> 0:00:06.960000 In this video, we're going to take a look at managing alerts. 0:00:06.960000 --> 0:00:11.880000 The topics that we're going to cover include, what are the components 0:00:11.880000 --> 0:00:14.720000 of Azure Alerts? 0:00:14.720000 --> 0:00:21.660000 We're going to talk about the signals that you can process for Azure Alerts, 0:00:21.660000 --> 0:00:24.540000 and I'm going to demonstrate Azure Alerts. 0:00:24.540000 --> 0:00:29.620000 Now, as it stands, alerts are pretty simple, and I would assume that most 0:00:29.620000 --> 0:00:31.940000 people are familiar with the concept. 0:00:31.940000 --> 0:00:37.820000 If you're not, the concept is that something happens in Azure, and you 0:00:37.820000 --> 0:00:41.760000 want to be made aware that something has happened in Azure. 0:00:41.760000 --> 0:00:43.480000 It's really what it comes down to. 0:00:43.480000 --> 0:00:48.160000 Now, that breaks out a little bit into these alert components. 0:00:48.160000 --> 0:00:50.860000 There's really two key components to alerting. 0:00:50.860000 --> 0:00:53.520000 The first is the alert rule. 0:00:53.520000 --> 0:00:57.620000 Now, this is something that semantically you just want to be careful with, 0:00:57.620000 --> 0:01:02.580000 and I make this mistake frequently, is that really you're not creating 0:01:02.580000 --> 0:01:06.180000 an alert. You are creating an alert rule. 0:01:06.180000 --> 0:01:10.980000 When that alert rule is triggered, that generates an alert, simple as 0:01:10.980000 --> 0:01:15.840000 that. Now, in addition to just having the alert rule, the way you define 0:01:15.840000 --> 0:01:21.940000 it is you're going to specify what resource this alert rule is based on. 0:01:21.940000 --> 0:01:29.140000 You're also going to define the conditions that will trigger an alert, 0:01:29.140000 --> 0:01:34.600000 and you're also going to define what happens by defining or by associating 0:01:34.600000 --> 0:01:36.440000 an action group. 0:01:36.440000 --> 0:01:43.260000 An action group is going to really define a response to a triggered action, 0:01:43.260000 --> 0:01:46.900000 and as you can see, our triggered alert, excuse me, as you can see, there 0:01:46.900000 --> 0:01:52.120000 are a variety of different really responses that you can define, and in 0:01:52.120000 --> 0:01:57.380000 fact, I can define multiple of these responses in a single action group. 0:01:57.380000 --> 0:02:01.380000 We have these following different types of actions. 0:02:01.380000 --> 0:02:11.560000 There's the communication, email, SMS, phone, or even sending out a mobile 0:02:11.560000 --> 0:02:14.920000 message. There's a function app. 0:02:14.920000 --> 0:02:18.400000 If you have your own function app that you want to use to process alerts, 0:02:18.400000 --> 0:02:22.560000 or if you have a logic app or if you have a runbook, these are really 0:02:22.560000 --> 0:02:27.540000 just three different types of resources in Azure that can be automatically 0:02:27.540000 --> 0:02:31.120000 triggered to process the results of an alert. 0:02:31.120000 --> 0:02:36.200000 In addition to that, you really can have any kind of response based on 0:02:36.200000 --> 0:02:43.620000 a webhook. A webhook is simply a REST API and HTTP endpoint that is designed 0:02:43.620000 --> 0:02:49.120000 to receive data, and as long as you have some kind of service, it could 0:02:49.120000 --> 0:02:55.260000 be a microservice, could be part of an ASP .NET application or a Java application 0:02:55.260000 --> 0:03:00.000000 or whatever, you have some custom endpoint that can receive alert data, 0:03:00.000000 --> 0:03:03.620000 I can actually hook that up through an action group. 0:03:03.620000 --> 0:03:06.560000 And finally, we have IT Service Management. 0:03:06.560000 --> 0:03:13.400000 IT Service Management is an open standard for communicating, well, IT 0:03:13.400000 --> 0:03:15.240000 Service Management data. 0:03:15.240000 --> 0:03:24.020000 And you can create an IT Service Management provider or endpoint, and 0:03:24.020000 --> 0:03:29.840000 then you can hook that up to your action group via an action. 0:03:29.840000 --> 0:03:35.300000 So these are the main components of an alert. 0:03:35.300000 --> 0:03:38.560000 In addition to that, one other thing that you want to understand about 0:03:38.560000 --> 0:03:44.080000 alerts is that from your various alert sources, you have what are called 0:03:44.080000 --> 0:03:48.980000 signals. This signal is simply that which is going to trigger the alert. 0:03:48.980000 --> 0:03:53.540000 It's really not anything particularly complicated, but there are different 0:03:53.540000 --> 0:03:54.800000 types of signals. 0:03:54.800000 --> 0:03:59.580000 The two primary types of signals are metric signals and activity, log 0:03:59.580000 --> 0:04:03.480000 signals. And hopefully that is fairly self-explanatory. 0:04:03.480000 --> 0:04:08.060000 Metric signals are going to allow you to generate alerts based on some 0:04:08.060000 --> 0:04:10.220000 kind of performance condition. 0:04:10.220000 --> 0:04:14.660000 And then, of course, the activity logs are going to allow you to generate 0:04:14.660000 --> 0:04:18.320000 an alert based on some kind of activity. 0:04:18.320000 --> 0:04:22.140000 So those are the key elements of alerts. 0:04:22.140000 --> 0:04:26.360000 I think the easiest way to see alerts is to simply see an alert. 0:04:26.360000 --> 0:04:31.760000 So I'm going to go through the process of creating an alert and also creating 0:04:31.760000 --> 0:04:37.940000 an action group and tying those in to some kind of activity that we might 0:04:37.940000 --> 0:04:39.920000 want to alert on. 0:04:39.920000 --> 0:04:44.700000 And then I'll also show you one that already exists. 0:04:44.700000 --> 0:04:50.240000 Now, currently, I am in the portal. 0:04:50.240000 --> 0:04:52.860000 And I'm in Monitor within the portal. 0:04:52.860000 --> 0:04:58.540000 And I like using Monitor because it gives me that really kind of full 0:04:58.540000 --> 0:05:05.980000 overview here. And I can view any alerts that have occurred at the subscription 0:05:05.980000 --> 0:05:12.140000 level. In fact, I can view these for different subscriptions. 0:05:12.140000 --> 0:05:21.740000 But we're going to wait just a moment here for this to come up. 0:05:21.740000 --> 0:05:30.280000 And now you can see that within this subscription, I-NE demonstrations, 0:05:30.280000 --> 0:05:39.800000 I've got the various levels of alerts. 0:05:39.800000 --> 0:05:42.920000 And notice that one of these alerts, severity 3, has been generated. 0:05:42.920000 --> 0:05:46.320000 I'm glad that was generated because I did that right before I started 0:05:46.320000 --> 0:05:49.660000 this session, this video. 0:05:49.660000 --> 0:05:53.300000 And it does take a little bit of time sometimes for alerts to generate. 0:05:53.300000 --> 0:05:55.520000 And I'll show you what generated that alert. 0:05:55.520000 --> 0:05:58.520000 So already having alert, I already have an action group. 0:05:58.520000 --> 0:06:04.500000 But what I'm going to do is I'm going to go here to Manage Actions. 0:06:04.500000 --> 0:06:07.580000 And I've got action groups. 0:06:07.580000 --> 0:06:12.880000 Now, this says, no subscriptions selected. 0:06:12.880000 --> 0:06:19.380000 Let's see, there's something slightly amiss. 0:06:19.380000 --> 0:06:26.580000 All right. Oh, there we go. 0:06:26.580000 --> 0:06:28.140000 I know I should have one. 0:06:28.140000 --> 0:06:30.980000 I'm going to go ahead and add another action group. 0:06:30.980000 --> 0:06:39.840000 And this is going to be just demo action. 0:06:39.840000 --> 0:06:44.360000 And it needs also demo action group. 0:06:44.360000 --> 0:06:49.300000 Demo action group. 0:06:49.300000 --> 0:06:55.300000 That one OK? Maybe. 0:06:55.300000 --> 0:07:00.240000 Short name. It's going to be DAG. 0:07:00.240000 --> 0:07:05.300000 It's going to go in the INE demonstrations. 0:07:05.300000 --> 0:07:09.740000 Now, the resource type, or the resource group, we're going to put that 0:07:09.740000 --> 0:07:18.140000 in. We want, there we go, Z300 monitor. 0:07:18.140000 --> 0:07:22.500000 All right. Now, for this action group, I need to define actions. 0:07:22.500000 --> 0:07:29.880000 And the first action that I can define, let's say, would be contact. 0:07:29.880000 --> 0:07:33.160000 And the action has an action type. 0:07:33.160000 --> 0:07:34.980000 And you can see the different action types. 0:07:34.980000 --> 0:07:37.440000 So I've got email, SMS, push, or voice. 0:07:37.440000 --> 0:07:39.400000 So these are my contact. 0:07:39.400000 --> 0:07:44.220000 I've got Azure Function, a logic app, and an automation run book. 0:07:44.220000 --> 0:07:48.140000 In each case, I can select the appropriate resource. 0:07:48.140000 --> 0:07:52.600000 I have webhook, which would allow me to make an open call to any webhook. 0:07:52.600000 --> 0:07:53.740000 And I have ITSM. 0:07:53.740000 --> 0:07:57.820000 Let's go ahead and set up the communications. 0:07:57.820000 --> 0:08:02.140000 Now, when I set up the communications, notice I have these options. 0:08:02.140000 --> 0:08:08.740000 Email, email, a role, SMS, push notifications, or voice. 0:08:08.740000 --> 0:08:17.520000 I'm going to go ahead and just select email. 0:08:17.520000 --> 0:08:23.800000 And simple as that, I've got any email that's being sent. 0:08:23.800000 --> 0:08:28.760000 Now, I'm going to just show you a couple of the others, particularly ITSM. 0:08:28.760000 --> 0:08:35.200000 When I select ITSM, it's going to ask me for a connector to ITSM, which 0:08:35.200000 --> 0:08:38.740000 I don't have. And if it takes too much longer, I won't show you. 0:08:38.740000 --> 0:08:42.260000 But you do have to pre -configure a connection. 0:08:42.260000 --> 0:08:45.720000 There we go. And I don't have any connections, so that's grayed out. 0:08:45.720000 --> 0:08:49.160000 So if you're going to use ITSM, you have to set up the connection first 0:08:49.160000 --> 0:08:51.020000 through a provider. 0:08:51.020000 --> 0:08:58.680000 And also, if I go and select webhook, I need to specify the URI that it's 0:08:58.680000 --> 0:09:01.340000 going to send the alert information to. 0:09:01.340000 --> 0:09:05.420000 And the alert is sent to a webhook in a JSON format. 0:09:05.420000 --> 0:09:10.040000 But I don't actually want to do any of that, so we'll just take that away. 0:09:10.040000 --> 0:09:15.680000 And I have now defined another action group. 0:09:15.680000 --> 0:09:17.320000 We've got my action groups. 0:09:17.320000 --> 0:09:23.520000 Fantastic. And now what I'm going to do is I'm going to go back to monitor. 0:09:23.520000 --> 0:09:27.720000 And I'm going to go back to alerts. 0:09:27.720000 --> 0:09:30.880000 And now I want to manage alert rules. 0:09:30.880000 --> 0:09:33.680000 And I'm going to create a new alert rule. 0:09:33.680000 --> 0:09:37.220000 I should have one or two, I should have, I think, two alert rules in here 0:09:37.220000 --> 0:09:40.840000 now. Notice from rules, I can also manage action groups. 0:09:40.840000 --> 0:09:45.060000 But I'm going to go ahead and create a new rule. 0:09:45.060000 --> 0:09:56.700000 OK. First thing I need to do is select what I want to create this rule 0:09:56.700000 --> 0:10:04.660000 for. And I can create rules across, well, four specific subscriptions. 0:10:04.660000 --> 0:10:10.460000 And then I can determine what it is I want to associate a rule with. 0:10:10.460000 --> 0:10:16.060000 Let's say, for example, that I wanted to associate rules with resource 0:10:16.060000 --> 0:10:21.260000 groups. And in particular, I wanted to associate a rule with the AZ-300 0:10:21.260000 --> 0:10:25.540000 monitor resource group. 0:10:25.540000 --> 0:10:28.700000 So now I have selected a resource. 0:10:28.700000 --> 0:10:32.580000 The next step would be to select a condition. 0:10:32.580000 --> 0:10:36.620000 And when I select a condition, now in this case I only have activity log 0:10:36.620000 --> 0:10:42.320000 because at the resource group level there are no metrics being collected. 0:10:42.320000 --> 0:10:45.280000 I'm going to go ahead and select activity log. 0:10:45.280000 --> 0:10:48.760000 And I can see all of the different activity log operations. 0:10:48.760000 --> 0:10:55.460000 And notice that there are very specific operations such as create a resource 0:10:55.460000 --> 0:11:00.180000 group. And there are very general operations such as all administrative 0:11:00.180000 --> 0:11:05.860000 operations. I'm going to pick that and it's going to tell me what's happened 0:11:05.860000 --> 0:11:06.920000 over the last six hours. 0:11:06.920000 --> 0:11:09.900000 And I go back, say, over the last week. 0:11:09.900000 --> 0:11:11.300000 And there's no data. 0:11:11.300000 --> 0:11:13.480000 Well, that's good. 0:11:13.480000 --> 0:11:16.600000 And then what I'm going to do is say, OK, what event level? 0:11:16.600000 --> 0:11:18.280000 I'm specifying event level. 0:11:18.280000 --> 0:11:19.900000 I'm specifying status. 0:11:19.900000 --> 0:11:23.760000 And I can also filter by who initiated it. 0:11:23.760000 --> 0:11:31.880000 So that is a signal base in particularly an activity log signal based 0:11:31.880000 --> 0:11:36.300000 condition. Now I also should define actions. 0:11:36.300000 --> 0:11:38.160000 You don't have to define an action. 0:11:38.160000 --> 0:11:41.360000 I can just have alerts that fire off and I can track them through the 0:11:41.360000 --> 0:11:45.800000 alert system. But oftentimes you're going to want to associate an action. 0:11:45.800000 --> 0:11:48.080000 And it's very simple to do. 0:11:48.080000 --> 0:11:50.520000 I can select budget primary. 0:11:50.520000 --> 0:11:53.500000 In preview you'll notice there are action rules. 0:11:53.500000 --> 0:11:58.240000 And what that allows you to do is refine under what circumstances this 0:11:58.240000 --> 0:12:04.380000 rule would when triggered call this particular action group. 0:12:04.380000 --> 0:12:06.440000 But we're not going to do that right now. 0:12:06.440000 --> 0:12:12.200000 And I can view the configured actions. 0:12:12.200000 --> 0:12:16.240000 I also need to give this an alert rule name. 0:12:16.240000 --> 0:12:23.040000 Incredibly specific demo alert name. 0:12:23.040000 --> 0:12:26.240000 And I'm not going to give it a description. 0:12:26.240000 --> 0:12:29.520000 I am, however, going to put it in monitor. 0:12:29.520000 --> 0:12:35.720000 Let's actually call this correctly. 0:12:35.720000 --> 0:12:38.920000 And let's go and call this I and E. 0:12:38.920000 --> 0:12:43.240000 Demo alert rule. 0:12:43.240000 --> 0:12:45.040000 It should be good there. 0:12:45.040000 --> 0:12:50.640000 And does tell you it can take up to five minutes for an activity log alert 0:12:50.640000 --> 0:12:52.680000 rule to become active. 0:12:52.680000 --> 0:13:02.460000 So I create the alert rule that is now going to be added to my rule set. 0:13:02.460000 --> 0:13:06.320000 I'm going to take a look at a rule that I've already defined. 0:13:06.320000 --> 0:13:10.080000 A rule, an alert rule that I've already defined. 0:13:10.080000 --> 0:13:12.460000 I have this error alert. 0:13:12.460000 --> 0:13:20.260000 And the error alert is associated with a web app. 0:13:20.260000 --> 0:13:27.240000 And it's going to alert whenever the HTTP 400 level errors are generated 0:13:27.240000 --> 0:13:29.420000 greater than 10. 0:13:29.420000 --> 0:13:34.140000 And I don't have any actions defined for this right now. 0:13:34.140000 --> 0:13:36.160000 Which obviously I could. 0:13:36.160000 --> 0:13:40.820000 Now what I want to do is go take a look at what this did. 0:13:40.820000 --> 0:13:47.900000 If I come back here and I can see the alerts in the last 24 hours, if 0:13:47.900000 --> 0:13:54.060000 I go to my severity one, or severity three, excuse me, I can see that 0:13:54.060000 --> 0:14:00.180000 in the last 24 hours the error alert has been triggered. 0:14:00.180000 --> 0:14:03.480000 And I can go and see information about it. 0:14:03.480000 --> 0:14:06.680000 I can view the history of this. 0:14:06.680000 --> 0:14:08.960000 So that's what happened with the alert. 0:14:08.960000 --> 0:14:11.040000 I don't think I have diagnostics. 0:14:11.040000 --> 0:14:13.420000 I don't have any diagnostics set up on it. 0:14:13.420000 --> 0:14:16.160000 Now I also have the alert state. 0:14:16.160000 --> 0:14:18.300000 Notice that the alert is new. 0:14:18.300000 --> 0:14:22.180000 I would probably after taking a look at it, possibly acknowledge it, or 0:14:22.180000 --> 0:14:24.700000 maybe even close it. 0:14:24.700000 --> 0:14:28.940000 Now you wouldn't want to do that quite as cavalierly as I just have, but 0:14:28.940000 --> 0:14:34.380000 you do have that ability to manage the state of an alert. 0:14:34.380000 --> 0:14:36.540000 Now why did that alert trigger? 0:14:36.540000 --> 0:14:40.500000 Well, that alert simply triggered because I have this web app that allows 0:14:40.500000 --> 0:14:44.500000 me, amongst other things, to generate errors. 0:14:44.500000 --> 0:14:50.320000 And this web app ran once, it ran with 1,000 messages, and it generated 0:14:50.320000 --> 0:14:54.140000 about 233 errors. 0:14:54.140000 --> 0:14:58.300000 And that's just a randomized function that I have in here, basically to 0:14:58.300000 --> 0:15:00.200000 kick off alerts. 0:15:00.200000 --> 0:15:08.200000 And that is really it as far as generating and managing alerts. 0:15:08.200000 --> 0:15:13.860000 Let's go ahead and think about some of the takeaways that we have with 0:15:13.860000 --> 0:15:19.100000 alerts. First of all, make sure that you are comfortable with the components 0:15:19.100000 --> 0:15:22.220000 of an alert system. 0:15:22.220000 --> 0:15:26.440000 You have alert rules, and you also have action groups. 0:15:26.440000 --> 0:15:30.140000 Now again, in preview right now is action rules. 0:15:30.140000 --> 0:15:34.340000 That's something that you might want to go and look up as that becomes, 0:15:34.340000 --> 0:15:40.480000 you know, more mature and eventually ends up in general availability. 0:15:40.480000 --> 0:15:44.820000 But for now, we have alert rules, and alert rules are going to allow us 0:15:44.820000 --> 0:15:51.320000 to set a trigger, really, what resource is going to generate the alert, 0:15:51.320000 --> 0:15:55.200000 and we can filter it with type of activity do we want, and that's going 0:15:55.200000 --> 0:16:03.660000 to be based on typically either, you know, performance monitoring or just 0:16:03.660000 --> 0:16:08.140000 event monitoring in general, or activity log signals, you'll hear that 0:16:08.140000 --> 0:16:12.740000 word signal. The action group, of course, is part of the alert rule as 0:16:12.740000 --> 0:16:15.740000 our additional settings, such as the name of the alert. 0:16:15.740000 --> 0:16:19.360000 Then we have the action group, and that's where things, I think, get very 0:16:19.360000 --> 0:16:22.120000 interesting, different types of actions. 0:16:22.120000 --> 0:16:25.300000 You want to make sure that you are familiar with all of the different 0:16:25.300000 --> 0:16:26.080000 types of actions. 0:16:26.080000 --> 0:16:29.900000 Email, SMS phone, and also notification. 0:16:29.900000 --> 0:16:31.800000 I'll part of that communications. 0:16:31.800000 --> 0:16:35.980000 You've got function apps, logic apps, run books, all resources that can 0:16:35.980000 --> 0:16:38.520000 be connected within the Azure environment. 0:16:38.520000 --> 0:16:43.960000 And then externally, you've got ITSM, but of course you do have to configure 0:16:43.960000 --> 0:16:47.480000 ITSM prior to this prior to using it here. 0:16:47.480000 --> 0:16:50.900000 And you also have web hooks, which again is just really any HTTP endpoint 0:16:50.900000 --> 0:16:57.040000 that can accept the JSON data that would be sent via an alert. 0:16:57.040000 --> 0:17:01.340000 Now, in addition to that, we have alert monitoring capabilities. 0:17:01.340000 --> 0:17:07.100000 As you saw, I can monitor alerts centrally through Azure Monitor, and 0:17:07.100000 --> 0:17:10.640000 the cool thing about that is I can actually monitor different subscriptions 0:17:10.640000 --> 0:17:12.380000 from that one environment. 0:17:12.380000 --> 0:17:16.240000 You can also actually monitor alerts down at the resource level. 0:17:16.240000 --> 0:17:20.120000 I can go in the portal, go to a resource, I'll have the alerts, and I 0:17:20.120000 --> 0:17:24.220000 can see the alerts for that specific resource. 0:17:24.220000 --> 0:17:28.580000 Also, keep in mind that with things like ITSM and web hooks, you have 0:17:28.580000 --> 0:17:33.160000 the ability to really manage and monitor your alerts through external 0:17:33.160000 --> 0:17:36.280000 third-party systems really very easily. 0:17:36.280000 --> 0:17:38.620000 So that is Azure alerts.