This article provides information on the steps to be taken in case of issues with email notifications for triggered alarms in Logsign.
When an alarm is triggered in Logsign and an action model is configured for email notification, the architecture works as follows:
After Logsign-alarmflow-worker triggers the alarm, it writes the action model for email notification to a list (action_queue) in the Redis database.
The Logsign-action-rule-worker service constantly monitors this list in Redis. If there is a task in the list, it performs it.
First, let's check the logs of this service.
journalctl -u logsign-action-rule-worker -f
There should be no error logs in the output of this service log.
Another checkpoint is the Redis list. If there is a lot of congestion in this list, it may indicate that the Logsign-action-rule-worker service is inadequate.
redis-cli -h localhost hgetall "action_queue" | wc -l
If there are six tasks waiting to be performed in the list, and you see the same number or more after two minutes, it means that the action-rule-worker service cannot keep up. You can increase the Logsign-action-rule-worker service to keep up with this number again.