This topic describes the metrics emitted by the metric namespace
oci_waf (the WAF service).
Overview of the WAF Service Metrics
Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based global security service that protects applications from malicious and unwanted internet traffic. The WAF service metrics help you measure various levels of traffic encountering your WAF policies, including non-malicious traffic. For more information, see Overview of the Web Application Firewall Service.
- IAM policies: To monitor resources, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services as well as the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in. For more information on user authorizations for monitoring, see the Authentication and Authorization section for the related service: Monitoring or Notifications.
- Permissions are required to allow monitoring, alarm, and notification (ONS) definition for users in a group for all compartments. The following policies must be configured in the root compartment:
Allow group <WAFMonitors> to read metrics in compartment <CompartmentName>
Allow group <WAFMonitors> to manage alarms in compartment <CompartmentName>
Allow group <WAFmonitors> to manage ons-family in compartment <CompartmentName>
Available Metrics: oci_waf
The metrics listed in the following table are automatically available for any policies you create. You do not need to enable monitoring on the resource to get these metrics. However, you must have the policy properly set up with web traffic passing through it to make the
oci_waf metric space available in the Metrics Explorer feature. Policies with no web traffic emit no metric data.
|Metric||Metric Display Name||Unit||Description||Dimensions|
||Requests||count||The total number of requests serviced by the WAF.||
||Traffic||bytes||Data egress from the WAF (compressed by default) measured in one minute intervals.|
||Bandwidth||B/s (bytes per second)||
Bandwidth rate calculated by dividing total data egress in a minute by 60.
||Detects||count||The number of requests that triggered a detect (alert) for a WAF policy.||
The following dimensions are available for WAF metrics:
||Two-letter country code where the request originated.||
||The rule type that was triggered by the request.||
||Web domain of the WAF policy.||www.mydomain.com|
||HTTP response status code series.||
||The OCID of the WAF policy.||
Multiple dimensions can be combined and aggregated to form ad-hoc subset reports of telemetry.
Using the Console
WAF service metrics are currently only available using the Metrics Explorer feature in the Console. For more information about metrics, see Viewing Metric Charts.
Any metric/dimension combination can be used as criteria for alarms. Alarms can leverage Oracle Notification Service for alerting through communication mechanisms like email and pagerduty.
This section includes steps to create an alarm. For more information about configuring alarms, see Managing Alarms.
- Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Alarm Definitions.
- Click Create alarm.
- On the Create Alarm page, under Define alarm, fill in or update the alarm settings:
- Alarm Name: User-friendly name for the new alarm. This name is sent as the title for notifications related to this alarm.
- Alarm Severity: The perceived type of response required when the alarm is in the firing state.
- Alarm Body: The human-readable content of the notification delivered. Oracle recommends providing guidance to operators for resolving the alarm condition. Consider adding links to standard runbook practices. Example: "High CPU usage alert. Follow runbook instructions for resolution."
- Tags (optional): Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
- Metric description: The metric to evaluate for the alarm condition.
Compartment: Select your A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization..
- Metric Namespace: Select oci_waf.
Metric Name: The metric the alarm measures.
Interval: The aggregation window, or the frequency at which data points are aggregated.Interval values
- 1m - 1 minute
- 5m - 5 minutes
- 1h - 1 hour
For alarm queries, the specified (Monitoring service) The time window used to convert the given set of raw data points. Example: 5 minutes has no effect on the (Monitoring service) The period between time windows, or the regularity at which time windows shift. Example: 1 minute of the request. The only valid value of the resolution for an alarm query request is
1m. For more information about the resolution parameter as used in alarm queries, see Alarm.
Statistic: The aggregation function.Statistic values
- COUNT- The number of observations received in the specified time period.
- MAX - The highest value observed during the specified time period.
- MEAN - The value of Sum divided by Count during the specified time period.
- MIN - The lowest value observed during the specified time period.
- P50 - The value of the 50th percentile.
- P90 - The value of the 90th percentile.
- P95 - The value of the 95th percentile.
- P99 - The value of the 99th percentile.
- P99.5 - The value of the 99.5th percentile.
- RATE - The per-interval average rate of change.
- SUM - All values added together.
- Metric dimensions: Optional filters to narrow the metric data evaluated.
Dimension Name: A qualifier specified in the metric definition. For example, the dimension
resourceIdis specified in the metric definition for
Long lists of dimensions are trimmed.
- To view dimensions by name, type one or more characters in the box. A refreshed (trimmed) list shows matching dimension names.
- To retrieve all dimensions for a given metric, use the following API operation: ListMetrics
- Dimension Value: The value you want to use for the specified dimension. For example, the resource identifier for your instance of interest.
- + Additional dimension: Adds another name-value pair for a dimension.
Trigger rule: The condition that must be satisfied for the alarm to be in the firing state. The condition can specify a threshold, such as 90% for CPU Utilization, or an absence.
Operator: The operator used in the condition threshold.Operator values
- greater than
- greater than or equal to
- equal to
- less than
- less than or equal to
- between (inclusive of specified values)
- outside (inclusive of specified values)
- Value: The value to use for the condition threshold.
- Trigger Delay Minutes: The number of minutes that the condition must be maintained before the alarm is in firing state.
Set up notifications: Under Notifications, fill in the fields.Destinations:
Destination Service: The provider of the destination to use for notifications.
Compartment: The A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. storing the topic to be used for notifications. Can be a different compartment from the alarm and metric. By default, the first accessible compartment is selected.
- Topic: The topic to use for notifications. Each topic supports a subscription protocol, such as PagerDuty.
- Topic Name: User-friendly name for the new topic. Example: "Operations Team " for a topic used to notify operations staff of firing alarms.
- Topic Description: Description of the new topic.
Subscription Protocol: Medium of communication to use for the new topic. Configure your subscription for the protocol you want:Email subscription
- Subscription protocol: Select Email.
- Email Addresses: Type an email address.
- Subscription Protocol: Select HTTPS (PagerDuty).
PagerDuty Integration URL: Type (or copy and paste) the integration key portion of the URL for your PagerDuty subscription. (The other portions of the URL are hard-coded.)
For information on setting up and retrieving your integration key, see the PagerDuty documentation.
Example integration key: Your68a4Integration4dd8Key12f4f6
Example integration URL: https://events.pagerduty.com/integration/Your68a4Integration4dd8Key12f4f6/enqueue
+ Additional destination service: Adds another destination service and topic to use for notifications.
Each alarm is limited to one destination per supported destination service.
- Repeat notifications every day:
- Repeat Notification?: While the alarm is in the firing state, resends notifications at the specified interval.
- Notification Interval: The period of time to wait before resending the notification.
Suppress Notifications: Sets up a suppression time window during which to suspend evaluations and notifications. Useful for avoiding alarm notifications during system maintenance periods.
- Suppression Description
- Start Time
- End Time
- Click Save alarm.
The new alarm is listed on the Alarm Definitions page.
Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Metrics Explorer.
For Metric Namespace, select oci_waf.
Select a metric to view from the Metric Name field.
- Select a qualifier specified in the Dimension Name field. For example, the dimension
resourceIdis specified in the metric definition for
Select the value you want to use for the specified dimension in the Dimension Value field. For example, the resource identifier for your instance of interest.
Click Update Chart.
The chart will be updated with the metrics that have been requested. You can hover over the line graphs to see a breakdown of the dimensions for data displayed.
Using the API
Use the following APIs for monitoring: