This documentation is for WSO2 API Manager 2.5.0 View documentation for the latest release.
Alert Types - API Manager 2.5.0 - WSO2 Documentation

All docs This doc
Provide Feedback
||
Skip to end of metadata
Go to start of metadata

WSO2 APIM currently supports the following alert types.

Abnormal response time


Reason for triggeringIf there is a sudden increase in the response time of a specific API resource.
IndicationSlow WSO2 API Manager runtime, or slow backend.
DescriptionIf the response time of a particular API resource (e.g., GET /API1/1.0/user/1) of a tenant, lies outside the Xth percentile value, an alert is sent. Default percentile value is 95%. Here, it is assumed that the response time of an API resource follows a normal distribution. Percentile value gets calculated daily by default.


Abnormal backend time 

Reason for triggeringIf there is a sudden increase in the backend time corresponding to a particular API resource.
IndicationSlow backend
DescriptionAn alert is sent if the backend time of a particular API resource (e.g., GET /calc/1.0/numbers) of a tenant lies outside the Xth percentile value. Default percentile value is 95%. Here, it is assumed that the corresponding backend time of an API resource follows a normal distribution. The percentile value gets calculated daily by default.

Abnormal request counts

Reason for triggeringIf there is a sudden spike or a drop in the request count within a period of one minute by default for a particular API resource.
IndicationThese alerts can be considered indications of high traffic, suspicious acts or the malfunction of client applications etc.
DescriptionAn alert is sent if the number of requests received by a particular API resource (e.g., GET /calc/1.0/numbers) of a tenant of a particular application within the last minute lies outside the Xth and Yth percentile values. The default percentile values are 95% and 5%. Here, it is assumed that the request counts received by an API resource follows a normal distribution. Percentile value (a per minute average request count value) gets calculated daily by default.

Abnormal resource access pattern

Reason for triggeringIf there is a change in the resource access pattern of a user who uses a particular application.
IndicationThese alerts can be considered as indications of suspicious activities done by one or more users in your application.
Description

A Markov Chain model is built for each application to learn its resource access pattern. For the purpose of learning the resource access patterns, no alerts are sent during the first 500 (default) requests. After learning the normal pattern of a specific application, WSO2 Analytics performs a real time check on a transition done by a specific user, and sends and alert if it is identified as an abnormal transition.For a transition to be considered valid, it has to occur within 60 minutes by default, and it should be by the same user.

The above diagram depicts an example where a Markov Chain model is created during the learning curve of the system. Two states are recorded against Application A and the arrows show the directions of the transitions. Each arrow carries a probability value that stands for the probability of a specific transition taking place. Assume that the following two consecutive events are received by the application from user john@abc.com.

  1. DELETE /API1/number/1
  2. DELETE /API1/number/3

The above transition has happened from the DELETE /API1/number/{x} state to itself. According to the Markov chain model learnt by the system, the probability of this transition occurring is very low. Therefore, an alert is sent.


Unseen source IP address

Reason for TriggeringIf there is either a change in the request source IP for a specific API of an application, or if the request if from an IP used before 30 days (default).
IndicationThese alerts can be considered as indications of suspicious activities carried out by a user over an API of an application.
Description

The first 500 requests are used only for learning purposes by default and therefore, no alerts are sent during that time. However, the learning would continue even after the first 500 requests. This means, even if you receive continuous requests from the newly detected IP2 IP, you are alerted only once. 


Frequent tier limit hitting (tier crossing)

Reason for Triggering

This alert is triggered in the following scenarios.

  • If a particular application is throttled for reaching a subscribed tier limit more than the specified number of times during a defined period (10 times within a day by default).
  • If a particular user of an application is throttled for reaching a subscribed tier limit of a specific API more than the specified number of times during a defined period (10 times within a day by default).

IndicationThese alerts indicate that you need to subscribe to a higher tier.


Abnormal API usage

Reason for TriggeringIf there is a drastic reduction in API usage by a specific user for a given API.
IndicationThese alerts indicate the failure of the application that is using the altered API.
DescriptionFor the purpose of detecting abnormal API usage, it is assumed that API requests are normally distributed. The mean and the variance are the two main properties of a normal distribution. These are calculated per user for each application. Instead of using all the past requests, you can define a time period based on which the mean and variance should be calculated. The default time period is 30 days.

Availability of APIs (health monitoring)

These alerts are triggered for the reasons specified in the tables below.

Reason for Triggering

The response time of an API is greater than the upper percentile value specified for the same (which is 95 by default). This should occur continuously for a specified number of times (5 times by default).

IndicationThe response time is too high.
Reason for TriggeringThe request count of an API per minute is less than the lower percentile value specified for the same (which is 5 by default). This should occur 5 times (i.e. 5 minutes) continuously in order to trigger the error.
IndicationThe request count per minute is normal, but the response count per minute is low.
Reason for TriggeringThe response status code is greater than or equal to 500, but less than 600. This should occur continuously for a specified number of times ( 5 by default) in order to trigger an alert.
IndicationA server side error has occurred.

 Refer Viewing Availability Of APIs for more information on API status changing over Availability of APIs.

  • No labels