<img height="1" width="1" style="display:none" src="https://alb.reddit.com/snoo.gif?q=CAAHAAABAAoACQAAACi3UkU6AA==&amp;s=hMfJ_f7PVQOiL2csDznj0MZz_-_Sym2oeAYASWsHW4c=">

Molly Struve

Molly_Struve

Molly Struve

Kenna Security

Molly Struve is the Lead Site Reliability Engineer at Kenna Security. She joined Kenna in 2015 and has had the opportunity to work on some of the most challenging aspects of Kenna’s code base. This includes scaling Elasticsearch, sharding MySQL databases, and taming their usage of Redis. Given her degree in Aerospace Engineering from MIT, it is no surprise that Molly thrives on optimizing code performance. When not making code run faster, she can be found fulfilling her need for speed by riding and jumping her show horses.

Session: Creating A Scalable Monitoring System That Everyone Will Love

A year ago, the monitoring setup at my company was a disaster. Here is what we had going to monitor our infrastructure.
1. New Relic for performance monitoring
2. PagerDuty for application health monitoring
3. Elastalert which used logs to alert on data discrepancies or site use anomalies
4. Cron jobs that ran nightly or every 30 min looking for data anomalies
5. Honeybadger for application/code errors
6. Admin dashboards for background processing services like Sidekiq and Resque

The disaster doesn't end there. Not only did we have 6 different tools doing the monitoring, we had them reporting to all different places. 
1. Slack Channels - At our worst, we had a different slack channel for every individual environment with alerts being sent to it.
2. SMS messaging
3. Email
4. Phone Call

As if all of those different alerting mediums weren't enough to make your head spin, the alerts we sent to all of them were incredibly inconsistent. Some alerts just reported data, but required no action. Many alerts would go off periodically and be false positives. And finally, some of the alerts actually needed someone to address them immediately. 

Needless to say, those who were on-call were miserable! They had no idea what was important or what alerts were actionable. This was not a huge problem at first because most of our team had been around for a while and knew all the ins and outs of what alerts were relevant. However, as our team started to grow, we realized our monitoring system needed to change. Our newly minted SRE team quickly decided one of the first problems it was going to tackle was monitoring. 

We overhauled our entire system over the course of a few months and the changes have paid off in spades. Here are the strategies we implemented that made a huge difference for our team.

*Consolidate Monitoring To a Single Place:* 
Everything has to be in one place. This is especially important the larger your team gets. As more and more people join, it will be harder to on board them if you have to teach them multiple different systems. Instead, when someone goes on-call, it's infinitely easier to tell them to open up a single webpage and that's it. Now, you can have multiple reporting tools, but you need to send all their alerts through a single interface. 

*Make ALL Alerts Actionable:* 
The moment you let one piece of noise through you set a precedence for everything else to be ignored. I cannot stress this point enough! Once you start letting false positives be ignored you can very quickly forget what is important and what is not. If an alert goes off and there is no action to be taken, then that alert should not have gone off in the first place. If you want things to alert that are not actionable, you need to put them in a separate place far away from the actionable items. 

*Make Sure Alerts Are Mutable:*
This was huge for us! A lot of our hand rolled alerts in the beginning would trigger every 30/60/90 minutes. Even if we had acknowledged the alert and were working to fix it, it would still ping us. Nothing is more frustrating than trying to fix a problem while an alarm is blaring in your ear. Our single centralized system now gives us the ability to mute alerts for however long we feel we need to fix the problem. 

Not only do you want alerts to be mutable, ideally, you want to be able to mute them for a specific timeframe. Nothing is worse than muting an alert, fixing the problem, and then forgetting to unmute the alert afterwards.

*Track Alert History:*
This is one of those things you don't think about until you are staring at an alert and have no idea what is causing it. A lot of times, in order to figure out the cause of an alert you need to know what the previous behavior was. If you have history for an alert you can do this. By going back and looking for trends in data, you can get a better picture of the situation, which can help when it comes to finding the root cause. 

Having alert history can also help you spot trends and find problems even before an alert is triggered. For example, let's say you are tracking database load. If you suddenly experience a large amount of growth you can refer to your monitoring history for that alert to gauge what the load on the database is and if you are approaching that alert threshold. You can then use this information to get ahead of the alert before it even goes off. 

*The Payoff:*
Overhauling our monitoring system has paid off in many ways. For starters, on-call developers are a lot happier! By removing any ambiguity around what alerts were important and what weren't, we took a lot of confusion out of being on-call. We also removed a lot of noise. No one wants their phone buzzing all night long when they are on-call. Removing those false positives fixed this issue.

Since all of the monitoring is now in a single place, it is straightforward and easy for developers to understand and learn. This ease of use has caused a lot of developers to contribute to the alerting effort by making their own alerts and improving on the ones we already have in place. Having a reliable, easy to use system gave developers a good reason to buy into it and join the effort to improve it.