[Stack Monitoring] [Test Scenario] Out of the box alerting

[chrisronline]

Summary

Stack Monitoring provides a set of out-of-the-box alerts, created by simply loading the Stack Monitoring UI within Kibana. The default action for each alert is a server log and the action messaging is controlled by the Stack Monitoring UI code directly.

PRs

Original, and CPU alert: #68805
Disk usage alert: #75419
JVM memory usage alert: #79039
Missing monitoring data alert: #78208
Threadpool rejections alert: #79433

Testing

Creation

• Ensure alerts are created once visiting the Stack Monitoring UI
• Ensure a user with the minimum set of monitoring permissions is able to create and manage alerts

Management

• Ensure that you can view and manage these alerts when Setup Mode is active
• Ensure you can properly add an additional action (to any alert) and it works as expected

UX

• Ensure you can see all created alerts while in Setup Mode
• Ensure you can properly navigate between display modes of alerts [Monitoring] Some progress on making alerts better in the UI #81569

Specific alerts

• Ensure you can properly trigger and see the server log for the CPU usage alert
• Ensure you can properly trigger and see the server log for the disk usage alert
• Ensure you can properly trigger and see the server log for the jvm memory alert
• Ensure you can properly trigger and see the server log for the missing monitoring data alert (Note: This alert is only concerned with Elasticsearch now and no longer looks at other stack products [Monitoring] Missing monitoring data alert firing for version upgrade and configuration changes for Kibana in Cloud #83309)
• Ensure you can properly trigger and see the server log for both threadpool rejection alerts
• Ensure you can properly trigger and see the server log for the legacy cluster health alert
• Ensure you can properly trigger and see the server log for the legacy nodes change alert
• Ensure you can properly trigger and see the server log for the legacy Elasticsearch version mismatch alert
• Ensure you can properly trigger and see the server log for the legacy Kibana version mismatch alert
• Ensure you can properly trigger and see the server log for the legacy Logstash version mismatch alert
• Ensure you can properly trigger and see the server log for the legacy license expiration alert

Edge cases

• Ensure a CCS environment works as expected
• Ensure Setup Mode works as expected on cloud ([Monitoring] Ensure setup mode works on cloud but only for alerts #73127)
• Ensure a dedicated monitoring cluster environment works as expected
• Ensure a quality UX with multiple Kibanas (we recommend a dedicated Kibana for a dedicated monitoring cluster) ("Duplicate" alerts can potentially exist based on what the user is doing in each Kibana but they should be able to easily disable the ones they don't want)
• Ensure Stack Monitoring UI works properly when alerts are not available (both because ssl is disabled and an encryption key is not set: [Monitoring] Fix UI error when alerting is not available #77179)
• Ensure Stack Monitoring alerts are not editable or createable in the Alerts & Management UI ([Monitoring] Prevent edit/create for Stack Monitoring alerts in Alerts Management #77097)

[elasticmachine]

Pinging @elastic/stack-monitoring (Team:Monitoring)

[Zacqary]

Ensure you can properly navigate between display modes of alerts

Not quite sure how to test this one. Does this state only happen if you're monitoring multiple clusters?

[chrisronline]

@Zacqary

Sure! In #81569, we introduce two ways to view alerts in the UI - grouped by "node/instance" or grouped by the alert type. That line item means we should just verify you can toggle between the two and both of them make sense and the grouping looks right

[Zacqary]

@chrisronline Got it, is it expected that the toggle switch doesn't appear if you're only monitoring a single node?

[chrisronline]

@Zacqary Negative. That's something we should probably optimize in the near future, but it does not do that now.

[Zacqary]

Okay, well I'm not seeing the Group by node toggle at all. Guess I can't pass that test case then?

[chrisronline]

@Zacqary Oh wow, that's weird. Do you mind posting a screenshot of what you are seeing?

[Zacqary]

Just not seeing Group By Node anywhere. This example is with only one node, but I still wasn't able to see it when adding more nodes.

[Zacqary]

Ensure you can properly trigger and see the server log for both threadpool rejection alerts

Which ones are these? Never mind, missed em in the Errors and Exceptions section

[chrisronline]

@Zacqary I'm a bit dumbfounded. #85719 made it into 7.11, as you can see here but I don't know why it's not showing up in the UI. I just tested on cloud staging, but I'm going to test locally and see if I can figure out what's up

[Zacqary]

For the threadpool alerts, not sure if I'm doing it right but it doesn't seem to be firing when I:

• Set both Write and Read to alert every 1 minute, and fire on 1 rejection
• Do a GET .monitoring-es*/_search to find the most recent document with a node_stats field
• POST .monitoring-es*/_update/<doc id> to set node_stats.thread_pool.search.rejected to a number greater than 0, same for write.rejected

[chrisronline]

@Zacqary #85719 doesn't seem to be in BC1, but it is in the 7.11 branch so maybe we need to wait until BC2 to test some of this.

[chrisronline]

@igoristic Can you advise on #85841 (comment)?

[Zacqary]

@chrisronline I'm running 7.11 locally and still don't see the Group By Node toggle. I actually tried on master first by accident and it also didn't show up.

[chrisronline]

@Zacqary Oh, my bad! You are unable to see this functionality while in Setup mode. It's only accessible for firing alerts. I'd recommend using Setup mode to set the threshold for various alerts very low to trigger them and test it that way.

[Zacqary]

Ah that makes sense. Works outside Setup Mode.

[Zacqary]

Do I still need to do something to enable Watcher for the legacy alerts? Seems like I'm having trouble getting the license expiration pipeline to set it off

[chrisronline]

You'll need trial or higher license and that should be it. I'd double check the watches exist and then you can do something like:

POST .monitoring-es-*/_search?filter_path=hits.hits._source.license
{
  "size": 1,
  "sort": [
    {
      "timestamp": {
        "order": "desc"
      }
    }
  ],
  "query": {
    "term": {
      "type": {
        "value": "cluster_stats"
      }
    }
  }
}

to verify the pipeline is properly changing the document

[Zacqary]

Yeah the document's updating, watches don't exist though.

[chrisronline]

What license level are you on? If you are on trial+ and using legacy monitoring collection, the watches should be created for you.

[Zacqary]

Using Trial and Metricbeat monitoring, alerts are created but no watches.

[chrisronline]

Ah, there is a known issue around watch creation and using only metricbeat monitoring: elastic/elasticsearch#51762 (comment)

We're tracking to remove these watches in 7.12: #85047 so this bug will be moot but it's still there for now.

To get around it, please enable legacy monitoring (via the cluster setting) in order for the watches to exist. You can disable legacy monitoring as soon as the watches have been created

[Zacqary]

Remind me how to enable legacy monitoring again? It's a dev tools request, right?

[chrisronline]

Yea

PUT _cluster/settings
{
  "persistent": {
    "xpack.monitoring.collection.enabled": true
  }
}

[Zacqary]

Ensure Stack Monitoring alerts are not editable or createable in the Alerts & Management UI

Marked this as working, but note that alerts can be deleted from the management UI

[chrisronline]

@Zacqary Really? I'm able to do it on staging cloud 7.11:

[Zacqary]

@chrisronline Yeah, is that not a bug? There doesn't seem to be a way to create them again

[chrisronline]

It's a bit of a confusing flow, I'll admit. Users should be able to delete from there, but the creation is handled purely by the Stack Monitoring UI. In the future, we hope to simplify this but we don't imagine it's a huge point of confusion, as users are most likely not deleting these alerts.

[chrisronline]

@ravikesarwani Any thoughts on this experience and if we need to change it?

[Zacqary]

Set up a remote cluster using yarn es snapshot --license trial but it's reporting a Basic license instead

[Zacqary]

Ensure you can properly trigger and see the server log for the missing monitoring data alert

Unsure how to get this one to fire. Tried turning off Metricbeat for a while, but that just switched the stack to Self-Monitoring mode and didn't fire any alerts.

[chrisronline]

Set up a remote cluster using yarn es snapshot --license trial but it's reporting a Basic license instead

I'm not sure if that's a bug with yarn es snapshot or what?

Unsure how to get this one to fire. Tried turning off Metricbeat for a while, but that just switched the stack to Self-Monitoring mode and didn't fire any alerts.

That should work. The collection method doesn't matter here - I'd just be consistent. Monitor the ES node with either legacy or MB for enough time to see the monitoring data show up, then disable either and make sure an alert fires in the Kibana server log. If not, then sounds like a bug

[Zacqary]

If not, then sounds like a bug

Yeah, seems to not be firing, then

[ravikesarwani]

@ravikesarwani Any thoughts on this experience and if we need to change it?

If the user deleted the alert don't they get recreated at the time of stack monitoring UI reload?

[chrisronline]

If the user deleted the alert don't they get recreated at the time of stack monitoring UI reload?

They do, but I think @Zacqary is saying it's not obvious to the user that will happen

[Zacqary]

If the user deleted the alert don't they get recreated at the time of stack monitoring UI reload?

That actually didn't happen for me the first time I tried it, but it's working now that I've tried it again. If I can find a consistent way to reproduce I'll let y'all know.

[Zacqary]

Setting up CCS on Cloud doesn't seem to be showing the remote cluster in the Stack Monitoring UI. This is from creating two Cloud deployments and adding one of them as a remote cluster using the Cloud UI, not through Kibana (where Remote Clusters isn't available in Stack Management).

[chrisronline]

Setting up CCS on Cloud doesn't seem to be showing the remote cluster in the Stack Monitoring UI. This is from creating two Cloud deployments and adding one of them as a remote cluster using the Cloud UI, not through Kibana (where Remote Clusters isn't available in Stack Management).

I'm not sure how this works. I did this as well and there is no remote info from GET _cluster/info. If that doesn't return anything, the CCS will not work in the Stack Monitoring UI.

[Zacqary]

I can mark the CCS case as working if we're not targeting the Cloud CCS for this release, but I'd recommend tracking that as an issue for the future.

Still unable to get the two unchecked alerts above (missing monitoring data and threadpool rejection) to fire on my end.

[chrisronline]

@Zacqary Thanks.

missing monitoring data

This one appears to be bugged now so great catch. Fix is #87882

@igoristic Are you able to look into the threadpool rejection alert?

[igoristic]

@Zacqary This won't work for triggering the alert. This is because that number/value is actually a cumulative counter. So, by the time you test the query it will be replaced by a more recent document that has it set as zero, thus you won't get the min and max delta that the query was designed for.

The only way to do this is by setting the size to 0 on a designated node that is monitored, via: https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-threadpool.html and then executing a search operation on that specific node. Though, I was only able to do this locally, because I couldn't change the thread pool size on cloud

[sgrodzicki]

@Zacqary @chrisronline @igoristic where are we with this?

[Zacqary]

Sorry, missed the updates in the transition back to 7.12 work. I can try these test cases again asap.