WSO2 APIM currently supports the following alert types.
Abnormal response time
|Reason for triggering||If there is a sudden increase in the response time of a specific API resource.|
|Indication||Slow WSO2 API Manager runtime, or slow backend.|
|Description||If the response time of a particular API resource (e.g., |
Abnormal backend time
|Reason for triggering||If there is a sudden increase in the backend time corresponding to a particular API resource.|
|Description||An alert is sent if the backend time of a particular API resource (e.g., |
Abnormal request counts
|Reason for triggering||If there is a sudden spike or a drop in the request count within a period of one minute by default for a particular API resource.|
|Indication||These alerts can be considered indications of high traffic, suspicious acts or the malfunction of client applications etc.|
|Description||An alert is sent if the number of requests received by a particular API resource (e.g., GET /calc/1.0/numbers) of a tenant of a particular application within the last minute lies outside the Xth and Yth percentile values. The default percentile values are 95% and 5%. Here, it is assumed that the request counts received by an API resource follows a normal distribution. Percentile value (a per minute average request count value) gets calculated daily by default.|
Abnormal resource access pattern
|Reason for triggering||If there is a change in the resource access pattern of a user who uses a particular application.|
|Indication||These alerts can be considered as indications of suspicious activities done by one or more users in your application.|
A Markov Chain model is built for each application to learn its resource access pattern. For the purpose of learning the resource access patterns, no alerts are sent during the first 500 (default) requests. After learning the normal pattern of a specific application, WSO2 Analytics performs a real time check on a transition done by a specific user, and sends and alert if it is identified as an abnormal transition.For a transition to be considered valid, it has to occur within 60 minutes by default, and it should be by the same user.
The above diagram depicts an example where a Markov Chain model is created during the learning curve of the system. Two states are recorded against Application A and the arrows show the directions of the transitions. Each arrow carries a probability value that stands for the probability of a specific transition taking place. Assume that the following two consecutive events are received by the application from user [email protected].
The above transition has happened from the
Unseen source IP address
|Reason for Triggering||If there is either a change in the request source IP for a specific API of an application, or if the request if from an IP used before 30 days (default).|
|Indication||These alerts can be considered as indications of suspicious activities carried out by a user over an API of an application.|
The first 500 requests are used only for learning purposes by default and therefore, no alerts are sent during that time. However, the learning would continue even after the first 500 requests. This means, even if you receive continuous requests from the newly detected
Frequent tier limit hitting (tier crossing)
|Reason for Triggering|
This alert is triggered in the following scenarios.
|Indication||These alerts indicate that you need to subscribe to a higher tier.|
Abnormal API usage
|Reason for Triggering||If there is a drastic reduction in API usage by a specific user for a given API.|
|Indication||These alerts indicate the failure of the application that is using the altered API.|
|Description||For the purpose of detecting abnormal API usage, it is assumed that API requests are normally distributed. The mean and the variance are the two main properties of a normal distribution. These are calculated per user for each application. Instead of using all the past requests, you can define a time period based on which the mean and variance should be calculated. The default time period is 30 days.|
Availability of APIs (health monitoring)
These alerts are triggered for the reasons specified in the tables below.
|Reason for Triggering|
The response time of an API is greater than the upper percentile value specified for the same (which is 95 by default). This should occur continuously for a specified number of times (5 times by default).
|Indication||The response time is too high.|
|Reason for Triggering||The request count of an API per minute is less than the lower percentile value specified for the same (which is 5 by default). This should occur 5 times (i.e. 5 minutes) continuously in order to trigger the error.|
|Indication||The request count per minute is normal, but the response count per minute is low.|
|Reason for Triggering||The response status code is greater than or equal to 500, but less than 600. This should occur continuously for a specified number of times ( 5 by default) in order to trigger an alert.|
|Indication||A server side error has occurred.|
Refer Viewing Availability Of APIs for more information on API status changing over Availability of APIs.