Tags & Alerts

Create tags to better help you visualise important events in your logs and set up alerts to help notify you of important events

Creating Tags

Data Log Tags and AlertsTo create a Tag click on the Tags & Alerts item in the header.  Then simply press the Create Tag/Alert button.   Start by entering a name for your desired Tag.  Next enter in a pattern (Regular Expression or String search) to signify when this Tag should occur in your logs.   Next select a label which will identify this tag in your logs.  You can either use one of the default labels or create your own (More details below).  Finally select the logs you wish this Tag to apply to and click Create.

Create labels relevant for you

Standard Labels

Data Log Tags and Alerts Logentries provides a number of labels out of the box (critical, warning, exception, fatal) that can be used to match system events.

Custom Labels

Create custom labels by clicking the New Label button when creating a tag. Enter the name for the label eg. “High CPU” Load and select a color. You can either use some of the suggested colors or use the color picker to select a color of your choice. Once finished press the Done button to finish creating the label.   To edit the label simply click on it’s body when creating a tag, you will see the same screen as creation so you can simply add in a new name and color. Data Log Tags and Alerts

Creating Alerts

To create an alert simple fill out the same fields as you would for an Tag, before pressing the create button you need to press the Add Alert button (seen below). Now fill out the fields to your perfence (See below for more information). Once you have all fields filled out by the Creating button to create the Tag and Alert.  

Specify limitations

Specify how often the event must occur before an alert is triggered.  Also specify how often you would like to be notified. This allows you to avoid flooding your inbox with notifications and to get alerts when they really matter.   With the option It must match at least you can specify how many times the pattern MUST match in order to trigger the alert. The most common option Once triggers the alert on every occurrence.  A more refined option 100x/hour specifies that the pattern must match at least 100 times in the last 60 minutes.  The alert is triggered when our alert counter reaches this limit. However, note that it does not trigger again if the pattern is continually matched above the threshold: the counter must drop again below the limit, and then again over the threshold to be re-triggered.  This allows us to avoid flooding you with alert reports.  The option Report this alert at most enables you to limit the amount of alert reports you receive. You can thus easily avoid getting flooded with reports of the same alert, while making sure you still get the most important ones.   All time specifications (last hour, last day), represent a sliding window.  This means the time window specified is not fixed for the current hour or day, but instead it slides with the current time and refers to last 60 minutes or 24 hours.  This is more convenient than a fixed-hour/day time specification: attacks or errors do not respect hour or day boundaries.

Specify notification style

Notifications can be sent by email, iPhone messaging, or you can specify a URL where the notification should be sent if you would rather use webhooks.   Webhook is POSTed information about the alert triggered in JSON format for easy parsing.  Logentries sends webhooks to your server in real-time so your server does not need to poll for changes.


When using the Tags and Alert forms there are some restrictions in what you can enter for the fields. The below is a list of some of the restrictions on the form.
  • Label names can not be greater then 30 characters in length.
  • For a given Tag patterns can not be exceed 4000 characters in length.
  • If an alert follows multiple log files it will alert if the total number of matched events across all the logs exceed the defined threshold. E.g. If an alert is monitoring two log files for stack traces with an alert threshold 50 in an hour, the alert will trigger if the first log has 30 matching events and the second log generates 20 matching events. 
Back to Top