Available Metrics¶
Metric Format¶
The collectd
metrics have the following view:
A detailed description of the metric format is available at this link.
Note
- In the list of available metrics below, the host name (the
host/
part) is omitted. - When using the
collectd_nagios
utility, the host name must be omitted. It is set separately using the-H
parameter (more about using this utility).
Types of Wallarm Metrics¶
The allowed types of Wallarm metrics are described below. The type is stored in the type
metric parameter.
-
gauge
is a numerical representation of the measured value. The value can both increase and decrease. -
derive
is the rate of change of the measured value since the previous measurement (derived value). The value can both increase and decrease. -
counter
is similar to thegauge
metric. The value can only increase.
NGINX Metrics and NGINX Wallarm Module Metrics¶
Number of Requests¶
The number of all requests processed by the filter node since its installation.
- Metric:
curl_json-wallarm_nginx/gauge-abnormal
- Metric value:
- Troubleshooting recommendations:
- Check if the filter node settings are correct.
- Check the filter node operation as described in the instructions. The value should increase by
1
after sending one test attack.
Number of Lost Requests¶
The number of requests not analyzed by the postanalytics module and not passed to Wallarm API. Blocking rules are applied to these requests, but requests are not visible in your Wallarm account and are not taken into account when analyzing next requests. The number is the sum of tnt_errors
and api_errors
.
-
Metric:
curl_json-wallarm_nginx/gauge-requests_lost
-
Metric value:
0
, the sum oftnt_errors
andapi_errors
-
Troubleshooting recommendations: follow the instructions for
tnt_errors
andapi_errors
Number of Requests not Analyzed by the Postanalytics Module¶
The number of requests not analyzed by the postanalytics module. This metric is collected if sending requests to the postanalytics module is configured (wallarm_upstream_backend tarantool
). Blocking rules are applied to these requests, but requests are not visible in your Wallarm account and are not taken into account when analyzing next requests.
-
Metric:
curl_json-wallarm_nginx/gauge-tnt_errors
-
Metric value:
0
- Troubleshooting recommendations:
- Get the NGINX and Tarantool logs and analyze errors if any.
- Check if the Tarantool server address (
wallarm_tarantool_upstream
) is correct. - Check that enough memory is allocated for Tarantool.
- Contact the Wallarm support team and provide the data above if the issue is not resolved.
Number of Requests not Passed to the Wallarm API¶
The number of requests not passed to Wallarm API. This metric is collected if passing requests to Wallarm API is configured (wallarm_upstream_backend api
). Blocking rules are applied to these requests, but requests are not visible in your Wallarm account and not taken into account when analyzing next requests.
-
Metric:
curl_json-wallarm_nginx/gauge-api_errors
-
Metric value:
0
- Troubleshooting recommendations:
- Get the NGINX and Tarantool logs and analyze errors if any.
- Check if the Wallarm API settings (
wallarm_api_conf
) are correct. - Check that enough memory is allocated for Tarantool.
- Contact the Wallarm support team and provide the data above if the issue was not resolved.
Number of Issues Completed NGINX Worker Process Abnormally¶
A number of issues have led to abnormal completion of the NGINX worker process. The most common reason for abnormal completion is a critical error in NGINX.
-
Metric:
curl_json-wallarm_nginx/gauge-segfaults
-
Metric value:
0
- Troubleshooting recommendations:
- Collect data about the current state using the
/opt/wallarm/collect-info.sh
script. - Provide the generated file to the Wallarm support team for investigation.
- Collect data about the current state using the
Number of Situations Exceeding the Virtual Memory Limit¶
The number of situations when the virtual memory limit was exceeded.
-
Metric:
curl_json-wallarm_nginx/gauge-memfaults
if the limit in your system was exceededcurl_json-wallarm_nginx/gauge-softmemfaults
if the limit for proton.db +lom was exceeded (wallarm_general_ruleset_memory_limit
)
-
Metric value:
0
- Troubleshooting recommendations:
- Collect data about the current state using the
/opt/wallarm/collect-info.sh
script. - Provide the generated file to the Wallarm support team for investigation.
- Collect data about the current state using the
Number of the proton.db Errors¶
The number of the proton.db errors except for those occurred due to the situations when the virtual memory limit was exceeded.
-
Metric:
curl_json-wallarm_nginx/gauge-proton_errors
-
Metric value:
0
- Troubleshooting recommendations:
- Copy the error code from the NGINX logs (
wallarm: proton error: <ERROR_NUMBER>
). - Collect data about the current state using the
/opt/wallarm/collect-info.sh
script. - Provide the collected data to the Wallarm support team for investigation.
- Copy the error code from the NGINX logs (
Version of proton.db¶
The version of proton.db in use.
-
Metric:
curl_json-wallarm_nginx/gauge-db_id
-
Metric value: no limits
Time of the last update of the proton.db file¶
Unix time of the last update of the proton.db file.
-
Metric:
curl_json-wallarm_nginx/gauge-db_apply_time
-
Metric value: no limits
Version of custom ruleset (the former term is LOM)¶
The version of custom ruleset in use.
-
Metric:
curl_json-wallarm_nginx/gauge-custom_ruleset_id
(In Wallarm node 3.4 and lower,
curl_json-wallarm_nginx/gauge-lom_id
. The metric with the former name is still collected but will be deprecated soon.) -
Metric value: no limits
Time of the last update of custom ruleset (the former term is LOM)¶
Unix time of the last update of custom ruleset.
-
Metric:
curl_json-wallarm_nginx/gauge-custom_ruleset_apply_time
(In Wallarm node 3.4 and lower,
curl_json-wallarm_nginx/gauge-lom_apply_time
. The metric with the former name is still collected but will be deprecated soon.) -
Metric value: no limits
proton.db and LOM Pairs¶
Number of proton.db and LOM Pairs¶
The number of proton.db and LOM pairs in use.
-
Metric:
curl_json-wallarm_nginx/gauge-proton_instances-total
-
Metric value:
>0
- Troubleshooting recommendations:
- Check if the filter node settings are correct.
- Check if the path to the proton.db file is specified correctly (
wallarm_protondb_path
). - Check if the path to the LOM file is specified correctly (
wallarm_custom_ruleset_path
).
Number of Successfully Downloaded proton.db and LOM Pairs¶
The number of proton.db and LOM pairs that were successfully downloaded and read.
-
Metric:
curl_json-wallarm_nginx/gauge-proton_instances-success
-
Metric value: is equal to
proton_instances-total
- Troubleshooting recommendations:
- Check if the filter node settings are correct.
- Check if the path to the proton.db file is specified correctly (
wallarm_protondb_path
). - Check if the path to the LOM file is specified correctly (
wallarm_custom_ruleset_path
).
Number of proton.db and LOM Pairs Downloaded from the Last Saved Files¶
The number of proton.db and LOM pairs downloaded from the last saved files. These files store the last successfully downloaded pairs. If pairs were updated but not downloaded, the data from the last saved files is used.
-
Metric:
curl_json-wallarm_nginx/gauge-proton_instances-fallback
-
Metric value:
>0
- Troubleshooting recommendations:
- Check if the filter node settings are correct.
- Check if the path to the proton.db file is specified correctly (
wallarm_protondb_path
). - Check if the path to the LOM file is specified correctly (
wallarm_custom_ruleset_path
).
Number of Inactive proton.db and LOM Pairs¶
The number of connected proton.db and LOM pairs that could not be read.
-
Metric:
curl_json-wallarm_nginx/gauge-proton_instances-failed
-
Metric value:
0
- Troubleshooting recommendations:
- Check if the filter node settings are correct.
- Check if the path to the proton.db file is specified correctly (
wallarm_protondb_path
). - Check if the path to the LOM file is specified correctly (
wallarm_custom_ruleset_path
).
Postanalytics Module Metrics¶
Identifier of the Last Processed Request¶
ID of the last processed request. The value can both increase and decrease.
-
Metric:
wallarm-tarantool/counter-last_request_id
if the value increasedwallarm-tarantool/gauge-last_request_id
if the value increased or decreased
-
Metric value: no limits
-
Troubleshooting recommendations: if there are incoming requests but the value does not change, check if the filter node settings are correct
Deleted Requests¶
Indication of Deleted Requests¶
The flag signaling that requests with attacks have been deleted from the postanalytics module but not sent to the cloud.
- Metric:
wallarm-tarantool/gauge-export_drops_flag
- Metric value:
0
if requests are not deleted1
if requests are deleted (not enough memory, please follow the instructions below)
- Troubleshooting recommendations:
- Allocate more memory for Tarantool.
- Install the postanalytics module in a separate server pool following these instructions.
Number of Deleted Requests¶
The number of requests with attacks that were deleted from the postanalytics module but were not sent to the cloud. The number of attacks in the request does not affect the value. The metric is collected if wallarm-tarantool/gauge-export_drops_flag: 1
.
It is recommended to use the wallarm-tarantool/gauge-export_drops_flag
metric when configuring monitoring notifications.
-
Metric:
wallarm-tarantool/gauge-export_drops
-
Metric value:
0
-
Rate of change:
wallarm-tarantool/derive-export_drops
- Troubleshooting recommendations:
- Allocate more memory for Tarantool.
- Install the postanalytics module in a separate server pool following the instructions.
Request Export Delay (in Seconds)¶
The delay between the recording of a request by the postanalytics module and downloading of the information about detected attacks to the Wallarm cloud.
- Metric:
wallarm-tarantool/gauge-export_delay
- Metric value:
- optimal if
<60
- warning if
>60
- critical if
>300
- optimal if
- Troubleshooting recommendations:
- Read logs from the
/opt/wallarm/var/log/wallarm/wcli-out.log
file. An increased value can be caused by low network throughput from the filter node to Wallarm's API service. - Check that enough memory is allocated for Tarantool. The
tnt_errors
metric also increases when allocated memory is exceeded.
- Read logs from the
Time of Storing Requests in the Postanalytics Module (in Seconds)¶
Time that the postanalytics module stores requests. The value depends on the amount of memory allocated to the postanalytics module and on the size and properties of the processed HTTP requests. The shorter the interval, the worse the detection algorithms work—because they rely on historical data. As a result, if the intervals are too short, an attacker can perform brute force attacks faster and without being noticed. In this case, less data will be obtained on the attacker's behavior history.
- Metric:
wallarm-tarantool/gauge-timeframe_size
- Metric value:
- optimal if
>900
- warning if
<900
- critical if
<300
- optimal if
- Troubleshooting recommendations:
- Allocate more memory for Tarantool.
- Install the postanalytics module in a separate server pool following the instructions.