Good alerting tells you about problems before your users do. Bad alerting wakes you up at 3 AM for nothing. This guide shows how to build effective log-based alerting with LogTide that catches real issues without alert fatigue.
The Alerting Problem
Too Many Alerts
🔔 3:01 AM - Error count > 5 in service: worker (5 errors)🔔 3:01 AM - Error count > 5 in service: worker (6 errors)🔔 3:02 AM - Error count > 5 in service: api (7 errors)🔔 3:02 AM - Error count > 5 in service: worker (8 errors)🔔 3:03 AM - Error count > 5 in service: api (12 errors)... 47 more alerts ...
Result: Engineer mutes notifications, misses the real incident next week.
Too Few Alerts
(silence)
User report at 9 AM: “We haven’t been able to log in since midnight.”
// Use consistent dedup keys// LogTide will only fire once per unique combination// within the time window{ "name": "Service Error Rate", "service": "api", // Scoped to service "timeWindow": 5, // 5-minute window // Only one alert per service per 5 minutes}
Reducing Alert Fatigue
Step 1: Audit Current Alerts
List all your alerts and classify:
Alert
Last Triggered
Actionable?
Keep/Modify/Delete
Error > 5
Daily
No (too sensitive)
Modify: threshold to 50
CPU > 90%
Never
N/A
Delete
5xx rate > 1%
Weekly
Yes
Keep
Disk > 80%
Monthly
Yes
Keep
Step 2: Apply the SRE Alert Framework
For each alert, ask:
Does this alert require human action? If no, delete it.
Can this wait until business hours? If yes, make it P3/P4.
Is the threshold set correctly? Tune based on historical data.
Is the alert well-documented? Add a runbook link.
Step 3: Implement Alert Routing
Not every alert needs to page someone:
Alert Configuration Checklist
Essential Alerts
Error rate per critical service
Critical/fatal errors (any service)
Health check failures
Authentication failures (brute force)
Deployment events (verify after deploy)
Notification Routing
P1 alerts → PagerDuty (phone)
P2 alerts → Slack #incidents
P3 alerts → Slack #alerts
P4 alerts → Email digest
Alert Quality
Every alert has a runbook
Thresholds tuned to avoid false positives
Alert fatigue audit quarterly
On-call handoff process documented
Security Alerts (Sigma)
Brute force detection enabled
Privilege escalation monitoring
Suspicious IP detection
After-hours admin activity
Common Pitfalls
1. “Alert on every error”
You’ll get 500 alerts per day and ignore them all.
Solution: Alert on error rates, not individual errors.
2. “Set thresholds once and forget”
As traffic grows, static thresholds become useless.
Does LogTide support real-time alerting on log events?
Yes. LogTide provides threshold-based alert rules that evaluate log volume, error rates, and search patterns within configurable time windows. When a threshold is crossed, LogTide immediately delivers notifications via email and webhooks, enabling routing to Slack, PagerDuty, Microsoft Teams, or any webhook-compatible tool.
How does LogTide help reduce alert fatigue for on-call engineers?
LogTide recommends alerting on error rates within a time window rather than on every individual error, and supports per-service scoping so alerts only fire when a meaningful volume of errors accumulates. Combining tiered severity levels with deduplication within the alert time window prevents the same issue from generating dozens of duplicate notifications.
What is Sigma rule support in LogTide alerting?
LogTide has built-in support for Sigma detection rules, an open standard for log-based threat detection. You can import Sigma rules directly through the LogTide dashboard to detect patterns such as brute force login attempts or suspicious privilege escalation, without writing custom alerting logic from scratch.
Can LogTide route critical alerts to PagerDuty and lower-priority alerts to Slack?
Yes. LogTide fires alerts to a webhook endpoint of your choice, and you can build a lightweight webhook router that inspects the alert payload and forwards it to PagerDuty for critical events while sending all other alerts to a Slack channel. The alert payload includes the alert name, service, threshold, current count, and sample log entries to give responders immediate context.