My Philosophy on Alerting: Observations of a Site Reliability Engineer at Google

This reminds me of an excellent talk my friend Dan Slimmon gave called &quot;Car Alarms and Smoke Alarms&quot;. He relates monitoring to the concepts of sensitivity and specificity in medical testing (<a href="http://en.wikipedia.org/wiki/Sensitivity_and_specificity" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Sensitivity_and_specificity</a>). Sensitivity is about the likelihood that your monitor will detect the error condition. Specificity is about the likelihood that it will <i>not</i> create false alarms.<p>Think about how people react to smoke alarms versus car alarms. When the smoke alarm goes off, people mostly follow the official procedure. When car alarms go off, people ignore them. Why? Car alarms have very poor specificity.<p>I&#x27;d add another layer of car alarms are Not My Problem, but that&#x27;s just me and not part of Dan&#x27;s excellent original talk.

&gt; Err on the side of removing noisy alerts – over-monitoring is a harder problem to solve than under-monitoring.<p>Absolutely this. Our team is having more problems with this issue than anything else. However, there are two points which seem to contradict:<p><pre><code> - Pages should be [...] actionable - Symptoms should be monitored, not causes </code></pre> The problem is that can&#x27;t act on symptoms, only research them and then act on the causes. If you get an alert that says the DB is down, that&#x27;s an actionable page - start the DB back up. Whereas, being paged that the connections to the DB are failing is far less actionable - you have to spend precious downtime researching the actual cause first. It could be the network, it could be an intermediary proxy, or it could be the DB itself.<p>Now granted, if you&#x27;re only catching causes, there is the possibility you might miss something with your monitoring, and if you double up on your monitoring (that is, checking symptoms as well as causes), you could get noise. That said, most monitoring solutions (such as Nagios) include dependency chains, so you get alerted on the cause, and the symptom is silenced while the cause is in an error condition. And if you missed a cause, you still get the symptom alert and can fill your monitoring gaps from there.<p>Leave your research for the RCA and following development to prevent future downtime. When stuff is down, a SA&#x27;s job is to get it back up.

Having your application reviewed by SREs who are going to support it is a legendary experience. They have no motivation to be gentle.<p>It changes the mindset from <i>&quot;Failure? Just log an error, restore some &#x27;good&#x27;-ish state and move on to the next cool feature.&quot;</i> towards <i>&quot;New cool feature? What possible failures will it cause? How about improving logging and monitoring on our existing code instead?&quot;</i>

Great writeup. Should be in any operations handbook. One of the challenges I&#x27;ve found has been dynamic urgency, which is to say something is urgent when it first comes up, but now that its known and being addressed it isn&#x27;t urgent anymore, unless there is something else going on we don&#x27;t know about.<p>Example you get a server failure which affects a service, and you begin working on replacing that server with a backup, but a switch is also dropping packets and so you are getting alerts on degraded service (symptom) but believe you are fixing that cause (down server) when in fact you will still have a problem after the server is restored. So my challenge is figuring out how to alert on that additional input in a way that folks won&#x27;t just say &quot;oh yeah, this service, we&#x27;re working on it already.&quot;

That&#x27;s harder problem than I originally realized. It&#x27;s easy to write noisy alerts, super easy to not have them (or not catching some issues).<p>It&#x27;s hard to tune them so signal to noise ratio will be high.

Where I work, at a mobile ad network, they put everyone on call on a rotating basis even if they are not devops or server engineers. We use Pager Duty and it works well. Since there is always a primary and secondary on call person, and the company is pretty small and technical, everyone feels &quot;responsible&quot; during their shifts, and at least one person is capable of handling rare, catastrophic events. I often wonder which is more important: good docs on procedures for failure modes or a heightened sense of responsibility. A good analogy may be the use of commercial airline pilots. They can override autopilot, but I am told rarely do. The safest airlines are good at maintaining their heightened sense of vigilance despite the lack of the need for it 99.999% of the time.

&quot;If you want a quiet oncall rotation, it&#x27;s imperative to have a system for dealing with things that need timely response, but are not imminently critical.&quot;<p>This is an excellent point that is missed in most monitoring setups I&#x27;ve seen. A classic example is some request that kills your service process. You get paged for that so you wrap the service in a supervisor like daemon. The immediate issue is fixed and, typically, any future causes of the service process dying are hidden unless someone happens to be looking at the logs one day.<p>I would love to see smart ways to surface &quot;this will be a problem soon&quot; on alerting systems.

Most of this appears to be just end-to-end testing, and whether you&#x27;re alerting on a failure of testing the entire application stack or just individual components. He probably got paged by too many individual alerts versus an actual failure to serve data, which I agree would be annoying.<p>In a previous position, we had a custom ticketing system that was designed to also be our monitoring dashboard. Alerts that were duplicates would become part of a thread, and each was either it&#x27;s own ticket or part of a parent ticket. Custom rules would highlight or reassign parts of the dashboard, so critical recurrent alerts were promoted higher than urgent recurrent alerts, and none would go away until they had been addressed and closed with a specific resolution log. The whole thing was designed so a single noc engineer at 3am could close thousands of alerts per minute while logging the reason why, and keep them from recurring if it was a known issue. The noc guys even created a realtime console version so they could use a keyboard to close tickets with predefined responses just seconds after they were opened.<p>The only paging we had was when our end-to-end tests showed downtime for a user, which were alerts generated by some paid service providers who test your site around the globe. We caught issues before they happened by having rigorous metric trending tools.

Thanks for posting this! I&#x27;m on the product team at PagerDuty, and this lines up with a lot of our thinking on how to effectively design alerting + incident response. I love the line &quot;Pages should be urgent, important, actionable, and real.&quot;

Here&#x27;s another good writeup on effective alerting, by a former Google Staff Engineer: <a href="http://blog.scalyr.com/2014/08/99-99-uptime-9-5-schedule/" rel="nofollow">http:&#x2F;&#x2F;blog.scalyr.com&#x2F;2014&#x2F;08&#x2F;99-99-uptime-9-5-schedule&#x2F;</a>

Why does a company the size of Google even have call rotations? Shouldn&#x27;t they have 24&#x2F;7 shifts of reliability engineers who can manually call in additional people as and when they&#x27;re needed?<p>I can totally understand why SMBs have rotations. They have less staff. But a monster corporation? This seems like lame penny pinching. Heck for the amount of effort they&#x27;re clearly putting into automating these alerts, they could likely use the same wage-hours to just hire someone else for a shift. Heck with an international company like Google they could have UK-based staff monitoring US-based sites overnight and visa-versa. Keep everyone on 9-5 and still get 24 hour engineers at their desks.

Here&#x27;s the link to it as a PDF for anyone else wanting a printable copy to pin to their wall: https:&#x2F;docs.google.com&#x2F;document&#x2F;export?format=pdf&amp;id=199PqyG3UsyXlwieHaqbGiWVa8eMWi8zzAn0YfcApr8Q

Good article. Alerting system unfortunately are still at the same level they where decades ago. Today we work in highly distributed environments that scale dynamically and we finding symptoms is a key problem. That is why a lot of people alert on causes or anomalies. In reality they should just detect them and log them for further dependency analysis once a real problem is found. We for example differentiate between three levels of alerts: infrastructure only, application services and users. Our approach to have NO alerts at all but monitor a ton of potential anomalies. Once these anomalies have user impact we report back problem dependencies.<p>If you are interested you can also get my point of view from my Velocity talk on Monitoring without alerts. <a href="https://www.youtube.com/watch?v=Gqqb8zEU66s" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Gqqb8zEU66s</a>. If you are interested also check out www.ruxit.com and let me know what you think of our approach.

This is huge. One of the big things dev teams benefit from bringing an SRE team onto their project is learning things like this and how to run a sustainable oncall rotation.

My startup <a href="http://usetrace.com" rel="nofollow">http:&#x2F;&#x2F;usetrace.com</a> is a web monitoring (+regression testing) tool with the &quot;monitor for your users&quot; philosophy mentioned in Rob&#x27;s article. Monitoring is done on the application&#x2F;feature level -&gt; alerts are always about a feature visible to the users.

This was very informative, I like the idea of monitoring symptoms that are user-facing rather than causes which are devops&#x2F;sysadmin&#x2F;dev-facing. I&#x27;m just thankful that my next project doesn&#x27;t require pager duty.

Can&#x27;t access the site, seems like there&#x27;s some quota on docs.google.com... Does anyone have a cached version? (WebArchive can&#x27;t crawl it due to robots.txt)

So I guess the author uses a smart phone as a pager, but given his passion for uptime, reliability, latency etc. I wonder if he has experimented with an actual pager.

Any alert should be for a good cause sounds good according to me.

I just want to say: HN is bursting with great articles today.

Great article @robewaschuk :)<p>-- Marcin, former Google SRE

In todays world, 90% of bloggers rely on google for their living

Very cool