Log Alert Rules

Log Alert Rules provides configurable threshold-based alerting for Drupal watchdog log entries.

Instead of manually watching logs or building one-off automation for recurring errors, site administrators can define alert rules that watch for patterns in specific log channels and severities, then notify recipients when thresholds are met.

Each rule can target:
- a log channel, or any channel
- one or more severity levels
- a substring or PCRE regex message pattern
- an optional negate pattern
- raw or rendered message matching

Features

- Configurable alert rules stored as config entities
- Threshold-based evaluation within sliding time windows
- Cooldown suppression to reduce alert floods
- Email notification channel
- Rule testing against recent dblog entries
- Single-rule and bulk export/import
- Backward-compatible import for older single-rule exports
- Drupal 10.3+ and Drupal 11 support

This module is intended for sites that want practical, maintainable alerting on top of Drupal's built-in logging system.

Post-Installation

After enabling the module:

1. Ensure the Database Logging (dblog) module is enabled.
2. Go to Administration > Configuration > System > Log Alert Rules.
3. Create one or more alert rules for the log channels and severities you care
about.
4. Test each rule against recent log entries before relying on it.
5. Configure email recipients and verify alert delivery in your environment.

Release Version 2.X - Monolog Support

Log Alert Rules 2.0 adds first-class support for sites running the
Monolog contrib module, and raises the minimum core version.

New: Monolog support

On a Monolog site, Drupal core's `logger.factory` is replaced and its
`addLogger()` is a no-op — so prior versions of Log Alert Rules received no log
records there. Rules could be created and tested against historical entries, but
nothing matched in real time and no alerts ever fired: a silent failure.

2.0 ships an optional sub-module, Log Alert Rules Monolog
(log_alert_rules_monolog). Enable it and Log Alert Rules behaves on a Monolog site exactly as it does anywhere else:

drush en log_alert_rules_monolog

It is zero-configuration. It wires the Log Alert Rules handler into every Monolog
channel and captures the raw message template and placeholder variables, so rule matching and email-placeholder substitution are identical to a non-Monolog site. It coexists cleanly with file-based Monolog log viewers (e.g. a
RotatingFileHandler).

If Monolog is enabled *without* the sub-module, the Status report
(Reports → Status report) shows a warning, so the situation is never silent.

Release version 2.1.0 - Slack Notification Support

Notification Targets & Slack. Notifications are now built around reusable Notification Targets: named destinations you define once and attach to any number of rules, cleanly separating how an alert is sent from where it goes. A single rule can now dispatch to several targets at once, so a critical alert can reach email and Slack simultaneously.

The optional Log Alert Rules Webhook sub-module adds a Slack channel — Block Kit messages posted via an incoming webhook, with the URL stored securely through the Key (https://www.drupal.org/project/key) module — making Slack a dependable out-of-band channel for alerting even when mail/SMTP is the thing that's failing. Any target can be enabled or disabled with one click to mute that destination across every rule at once, and existing per-rule email settings migrate automatically on update.

Roadmap

- Monolog support via an optional sub-module — sites running the
Monolog contrib module currently do not receive log records.
- More notification channels beyond email — Slack, Discord, MS Teams,
generic webhook. Plugin-based, so contributions welcome.
- Other logger-replacement integrations as demand emerges.

Security Policy

This module has been submitted as an example for review of maintainer code. The goal is to be able place this module under security advisory coverage. The Drupal.org security advisory coverage application can be found here: https://www.drupal.org/project/projectapplications/issues/3586920