Alert Configuration
SecureLink integrates with AlertManager to provide advanced alerting capabilities. This page covers how to configure alert rules, routing, grouping, and silencing.
Alert Rules
Alert rules define the conditions that trigger notifications. Configure rules to match your operational requirements.
Built-in Alert Rules
| Alert | Condition | Default Threshold |
|---|---|---|
| Edge Offline | Edge has not sent a keepalive heartbeat | 5 minutes |
| Config Sync Failure | Batch config push failed after retries | 3 consecutive failures |
| High Packet Drop Rate | VPP interface packet drops exceed threshold | > 1% drop rate over 5 minutes |
| Suricata Critical Alert | Suricata IDS/IPS detects a critical-severity event | Any critical event |
| Certificate Expiring | TLS or communication certificate approaching expiry | 30 days before expiration |
Custom Alert Rules
You can create custom alert rules based on any metric collected by the observability pipeline:
- Navigate to Settings > System > Alerts
- Click Create Alert Rule
- Define the PromQL expression that triggers the alert
- Set the severity level (Critical, Warning, Info)
- Configure the evaluation interval and pending duration
- Click Save
Custom rules are evaluated by VictoriaMetrics vmalert and routed through AlertManager alongside built-in rules.
Routing Rules
Routing rules determine where alerts are delivered based on their attributes:
| Attribute | Description |
|---|---|
| Severity | Route critical alerts to PagerDuty, warnings to email |
| Tenant | Route tenant-specific alerts to that tenant's admin |
| Alert Type | Route security alerts to the security team, infrastructure alerts to the ops team |
Configuring Routes
- Navigate to Settings > System > Alerts > Routing
- Define match conditions (severity, labels, tenant)
- Assign a notification channel (email, webhook)
- Set optional continue flag to match multiple routes
Routes are evaluated in order. The first matching route handles the alert unless the continue flag is set, in which case evaluation continues to subsequent routes.
Grouping
Alert grouping reduces notification noise by batching related alerts into a single notification.
- Group by: Define which labels to group on (e.g.,
tenant_id,edge_serial) - Group wait: How long to wait before sending the first notification for a new group (default: 30 seconds)
- Group interval: How long to wait before sending updates for an existing group (default: 5 minutes)
For example, if five edges in the same tenant go offline simultaneously, grouping by tenant_id sends one notification listing all five edges instead of five separate notifications.
Silencing
Temporarily suppress alerts during planned maintenance or known issues.
Creating a Silence
- Navigate to Settings > System > Alerts > Silences
- Click Create Silence
- Define matchers to select which alerts to silence (e.g.,
tenant_id = "12345",alertname = "EdgeOffline") - Set the duration or end time
- Add a comment explaining the reason for the silence
- Click Save
Active silences are displayed with their remaining duration and can be expired early if the maintenance window completes ahead of schedule.
Always add a descriptive comment when creating a silence. This helps other administrators understand why certain alerts are suppressed.
Silences suppress notifications only. The underlying alert conditions are still evaluated and recorded. Review silenced alerts after the maintenance window to ensure no real issues were masked.