web_log_5m_requests_ratio.md 2.4 KB
Understand the alert
The web_log_5m_requests_ratio alert indicates that there is a significant increase in the number of successful HTTP requests to your web server in the last 5 minutes compared to the previous 5 minutes. This alert is important for monitoring sudden traffic surges, which can potentially overload your server.
Troubleshoot the alert
- Check the source of the increased traffic Use web server logs to determine the source of the increased traffic. Identify if the requests are coming from a specific IP address, group of IP addresses, or even bots.
For example, for Nginx, you can check the log files at /var/log/nginx/access.log. For Apache, the logs can be found at /var/log/apache2/access.log.
Analyze the requests Look at the type of requests (GET, POST, etc.) and the requested resources (URLs). This analysis can help you understand if the increase in traffic is legitimate or if it's due to an issue like a DDoS attack or a web crawler.
Monitor server performance Use monitoring tools like
top,iotop, or Netdata itself to check your server's performance metrics. Keep an eye on CPU, RAM, and disk usage to ensure that the server is not getting overloaded.Optimize server resources and configuration If you find that the traffic increase is legitimate and your server is struggling to handle the load, consider optimizing your server resources and configuration. Techniques include:
- Increasing server resources (CPU, RAM, disk)
- Using a caching mechanism
- Load balancing and scaling out your infrastructure
- User connection rate limiting and request throttling
Mitigate potential attacks If the analysis reveals that the increase in traffic is due to a DDoS attack, implement mitigation strategies like firewalls, IP blocking, or using a web application firewall (WAF). Ensure that you have a robust security system in place to protect your server from such attacks.