feat: server monitors (#394)

* feat: add wildfire monitors

* feat: add infra team channel for notification

* feat: enable all servers

* feat: remove duplicate notification

Author: GraceRuan

workflow-cli/configuration-opensearch/alerting/agent-heartbeat.monitor.json

@@ -81,7 +81,7 @@
         "actions": [
           {
             "id": "<%= idgen('action-teams', server.name, agent.index) %>",
-            "name": "Notify Teams Channel",
+            "name": "Notify Appinfra Teams Channel",
             "destination_id": "appinfra-msteams",
             "message_template": {
               "source": "{ \"text\": \"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n  - Trigger: {{ctx.trigger.name}}\n  - Severity: {{ctx.trigger.severity}}\n  - Period start: {{ctx.periodStart}}\n  - Period end: {{ctx.periodEnd}}\" }",
@@ -118,10 +118,10 @@
           {
             "$$OMIT": "<%= !serverTag('wildfire') || !serverTag('nonproduction') ? 'true' : 'false' %>",
             "id": "<%= idgen('action-nonprod-wf', server.name, agent.index) %>",
-            "name": "notify",
+            "name": "Notify Wildfire Nonprod Teams Channel",
             "destination_id": "wf-nonprod-msteams",
             "message_template": {
-               "source": "{\"text\": \"No logs received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
+               "source": "{\"text\": \"Monitor {{ctx.monitor.name}}: No logs received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
                "lang": "mustache"
             },
             "throttle_enabled": true,
@@ -134,32 +134,13 @@
                "unit": "MINUTES"
             }
          },
-         {
-            "$$OMIT": "<%= !serverTag('wildfire') || serverTag('production') ? 'true' : 'false' %>",
-            "id": "<%= idgen('action-nonprod-wf', server.name, agent.index) %>",
-            "name": "notify",
-            "destination_id": "wf-nonprod-msteams",
-            "message_template": {
-              "source": "{\"text\": \"No logs received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
-              "lang": "mustache"
-            },
-            "throttle_enabled": true,
-            "subject_template": {
-              "source": "",
-              "lang": "mustache"
-            },
-            "throttle": {
-              "value": 240,
-              "unit": "MINUTES"
-            }
-          },
           {
             "$$OMIT": "<%= !serverTag('wildfire') || !serverTag('production') ? 'true' : 'false' %>",
             "id": "<%= idgen('action-prod-wf', server.name, agent.index) %>",
-            "name": "notify",
+            "name": "Notify Wildfire Prod Teams Channel",
             "destination_id": "wf-prod-msteams",
             "message_template": {
-               "source": "{\"text\": \"No logs received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
+               "source": "{\"text\": \"Monitor {{ctx.monitor.name}}: No logs received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
                "lang": "mustache"
             },
             "throttle_enabled": true,

workflow-cli/configuration-opensearch/alerting/server-cpu.config.json

@@ -0,0 +1,3 @@
+{
+  "type": "server"
+}

workflow-cli/configuration-opensearch/alerting/server-cpu.monitor.json

@@ -0,0 +1,142 @@
+{
+  "name": "nrids_server_cpu_<%= server.name %>",
+  "type": "monitor",
+  "monitor_type": "query_level_monitor",
+  "enabled": true,
+  "schedule": {
+    "period": {
+    "interval": 15,
+    "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "search": {
+        "indices": [
+          "nrm-metrics-*"
+        ],
+        "query": {
+          "size": 0,
+          "aggregations": {
+            "metric": {
+               "avg": {
+                  "field": "host.cpu.usage"
+               }
+            }
+          },
+          "query": {
+            "bool": {
+              "filter": [
+                {
+                  "range": {
+                    "@timestamp": {
+                      "from": "{{period_end}}||-30m",
+                      "to": "{{period_end}}",
+                      "include_lower": true,
+                      "include_upper": true,
+                      "format": "epoch_millis",
+                      "boost": 1.0
+                    }
+                  }
+                },
+                {
+                  "term": {
+                    "host.hostname": {
+                      "value": "<%= server.name %>",
+                      "boost": 1.0
+                    }
+                  }
+                }
+              ],
+              "adjust_pure_negative": true,
+              "boost": 1.0
+            }
+          }
+        }
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "query_level_trigger": {
+        "id": "<%= idgen('trigger', server.name) %>",
+        "name": "AbnormalCPU from server <%= server.name %>",
+        "severity": "4",
+        "condition": {
+          "script": {
+            "source": "return ctx.results[0].aggregations.metric.value == null ? false : ctx.results[0].aggregations.metric.value > 95",
+            "lang": "painless"
+          }
+        },
+        "actions": [
+          {
+            "id": "<%= idgen('action-teams', server.name) %>",
+            "name": "Notify Appinfra Teams Channel",
+            "destination_id": "appinfra-msteams",
+            "message_template": {
+              "source": "{ \"text\": \"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n  - Trigger: {{ctx.trigger.name}}\n  - Severity: {{ctx.trigger.severity}}\n  - Period start: {{ctx.periodStart}}\n  - Period end: {{ctx.periodEnd}}\" }",
+              "lang" : "mustache"
+            },
+            "throttle_enabled": true,
+            "throttle": {
+              "value": 15,
+              "unit": "MINUTES"
+            },
+            "subject_template": {
+              "source": "",
+              "lang" : "mustache"
+            }
+          },
+          {
+            "$$OMIT": "<%= !serverTag('wildfire') || !serverTag('nonproduction') ? 'true' : 'false' %>",
+            "id": "<%= idgen('action-nonprod-wf', server.name) %>",
+            "name": "Notify Wildfire Nonprod Teams Channel",
+            "destination_id": "wf-nonprod-msteams",
+            "message_template": {
+               "source": "{\"text\": \"Abnormal high CPU usage alerting received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
+               "lang": "mustache"
+            },
+            "throttle_enabled": true,
+            "subject_template": {
+               "source": "<%= server.name %> CPU Usage Alert",
+               "lang": "mustache"
+            },
+            "throttle": {
+               "value": 1440,
+               "unit": "MINUTES"
+            }
+         },
+          {
+            "$$OMIT": "<%= !serverTag('wildfire') || !serverTag('production') ? 'true' : 'false' %>",
+            "id": "<%= idgen('action-prod-wf', server.name) %>",
+            "name": "Notify Wildfire Prod Teams Channel",
+            "destination_id": "wf-prod-msteams",
+            "message_template": {
+               "source": "{\"text\": \"Abnormal high CPU usage alerting received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
+               "lang": "mustache"
+            },
+            "throttle_enabled": true,
+            "subject_template": {
+               "source": "<%= server.name %> CPU Usage Alert",
+               "lang": "mustache"
+            },
+            "throttle": {
+               "value": 30,
+               "unit": "MINUTES"
+            }
+         }
+        ]
+      }
+    }
+  ],
+  "data_sources": {
+    "alerts_history_index": ".opendistro-alerting-alert-history-write",
+    "alerts_history_index_pattern": "<.opendistro-alerting-alert-history-{now/d}-1>",
+    "alerts_index": ".opendistro-alerting-alerts",
+    "findings_enabled": false,
+    "findings_index": ".opensearch-alerting-finding-history-write",
+    "findings_index_pattern": "<.opensearch-alerting-finding-history-{now/d}-1>",
+    "query_index": ".opensearch-alerting-queries",
+    "query_index_mappings_by_type": {}
+  }
+}

workflow-cli/configuration-opensearch/alerting/server-disk.config.json

@@ -0,0 +1,3 @@
+{
+  "type": "server"
+}

workflow-cli/configuration-opensearch/alerting/server-disk.monitor.json

@@ -0,0 +1,140 @@
+{
+  "name": "nrids_server_disk_<%= server.name %>",
+  "type": "monitor",
+  "monitor_type": "query_level_monitor",
+  "enabled": true,
+  "schedule": {
+    "period": {
+    "interval": 15,
+    "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "search": {
+        "indices": [
+          "nrm-metrics-*"
+        ],
+        "query": {
+          "size": 0,
+          "aggregations": {
+            "metric": {
+               "avg": {
+                  "field": "host.disk.used_percentage"
+               }
+            }
+          },
+          "query": {
+            "bool": {
+              "filter": [
+                {
+                  "range": {
+                    "@timestamp": {
+                      "from": "{{period_end}}||-30m",
+                      "to": "{{period_end}}",
+                      "include_lower": true,
+                      "include_upper": true,
+                      "format": "epoch_millis",
+                      "boost": 1.0
+                    }
+                  }
+                },
+                {
+                  "term": {
+                    "host.hostname": {
+                      "value": "<%= server.name %>",
+                      "boost": 1.0
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        }
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "query_level_trigger": {
+        "id": "<%= idgen('trigger', server.name) %>",
+        "name": "AbnormalDisk from server <%= server.name %>",
+        "severity": "4",
+        "condition": {
+          "script": {
+            "source": "return ctx.results[0].aggregations.metric.value == null ? false : ctx.results[0].aggregations.metric.value > 0.999",
+            "lang": "painless"
+          }
+        },
+        "actions": [
+          {
+            "id": "<%= idgen('action-teams', server.name) %>",
+            "name": "Notify Appinfra Teams Channel",
+            "destination_id": "appinfra-msteams",
+            "message_template": {
+              "source": "{ \"text\": \"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n  - Trigger: {{ctx.trigger.name}}\n  - Severity: {{ctx.trigger.severity}}\n  - Period start: {{ctx.periodStart}}\n  - Period end: {{ctx.periodEnd}}\" }",
+              "lang" : "mustache"
+            },
+            "throttle_enabled": true,
+            "throttle": {
+              "value": 15,
+              "unit": "MINUTES"
+            },
+            "subject_template": {
+              "source": "",
+              "lang" : "mustache"
+            }
+          },
+          {
+            "$$OMIT": "<%= !serverTag('wildfire') || !serverTag('nonproduction') ? 'true' : 'false' %>",
+            "id": "<%= idgen('action-nonprod-wf', server.name) %>",
+            "name": "Notify Wildfire Nonprod Teams Channel",
+            "destination_id": "wf-nonprod-msteams",
+            "message_template": {
+               "source": "{\"text\": \"AbnormalDisk alerting received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
+               "lang": "mustache"
+            },
+            "throttle_enabled": true,
+            "subject_template": {
+               "source": "<%= server.name %> Low Disk Space",
+               "lang": "mustache"
+            },
+            "throttle": {
+               "value": 1440,
+               "unit": "MINUTES"
+            }
+         },
+          {
+            "$$OMIT": "<%= !serverTag('wildfire') || !serverTag('production') ? 'true' : 'false' %>",
+            "id": "<%= idgen('action-prod-wf', server.name) %>",
+            "name": "Notify Wildfire Prod Teams Channel",
+            "destination_id": "wf-prod-msteams",
+            "message_template": {
+               "source": "{\"text\": \"AbnormalDisk alerting received from <%= server.name %> between {{ctx.periodStart}} and {{ctx.periodEnd}}\"}",
+               "lang": "mustache"
+            },
+            "throttle_enabled": true,
+            "subject_template": {
+               "source": "<%= server.name %> Low Disk Space",
+               "lang": "mustache"
+            },
+            "throttle": {
+               "value": 30,
+               "unit": "MINUTES"
+            }
+         }
+        ]
+      }
+    }
+  ],
+  "data_sources": {
+    "alerts_history_index": ".opendistro-alerting-alert-history-write",
+    "alerts_history_index_pattern": "<.opendistro-alerting-alert-history-{now/d}-1>",
+    "alerts_index": ".opendistro-alerting-alerts",
+    "findings_enabled": false,
+    "findings_index": ".opensearch-alerting-finding-history-write",
+    "findings_index_pattern": "<.opensearch-alerting-finding-history-{now/d}-1>",
+    "query_index": ".opensearch-alerting-queries",
+    "query_index_mappings_by_type": {}
+  }
+}

workflow-cli/configuration-opensearch/alerting/server-memory.config.json

@@ -0,0 +1,3 @@
+{
+  "type": "server"
+}