Documentation Index

Fetch the complete documentation index at: https://kb.kentik.com/llms.txt

Use this file to discover all available pages before exploring further.

Alerting

Prev Next

This article discusses Kentik’s Alerting systems, which analyze your network traffic and detect anomalous patterns that might represent threats to availability or performance.

Overview of active alerts with severity levels and metrics in the alerting dashboard.

Triggered based on policy settings, alerts provide details on anomalous network activity or state.

Kentik’s Alerting systems include both the main policy-based alerting system, which is the focus of this set of articles, and a synthetics-specific alerting system:

  • Policy-Based Alerting: Uses policies of various types to define conditions for alerting:

    • Policies are managed with the portal’s Alert Policies settings page, accessed via  Settings » Alert Policies in the portal’s main nav menu.

    • Includes thresholds for triggering an alarm and actions (notifications and/or mitigations) when “alarm state” is entered.

    • View and manage policy-based alerts on the Alerting Page, accessed via the portal’s main nav menu.

  • Synthetics Alerting: Kentik’s Synthetics testing includes an alerting system that generates alerts based on test results:

Policy Types

When a policy is created, either by a Kentik user or automatically via Alert Policy Templates, it is categorized into one of two primary architectures: Flow or NMS policy types.

The policy type dictates what data is evaluated, how it triggers, and where the resulting alerts appears in the portal. All policies are managed (added, cloned, edited) via the Settings » Alert Policies page in the Kentik portal.

Flow Policies

Flow policies (Protect and Traffic) use comparative evaluations to monitor network traffic data, such as NetFlow or VPC flow logs. When the current traffic matches the conditions defined in your policy thresholds, it triggers an alert (entering an ALARM state) and can initiate automated actions like notifications and DDoS mitigations.

Policy Type

Description

Where Created

Appears on DDoS Defense Page?

Protect

Detects traffic patterns indicating potential attacks (e.g., SYN floods, amplified reflections).

Add Alert Policy page

Yes

Traffic

Detects standard traffic patterns, flow rate thresholds, and fluctuations.

Add Alert Policy page, Data Explorer

No

NMS Policies

NMS (Network Monitoring System) policies are metrics-based and built on Kentik NMS. They evaluate performance data to alert you when a monitored entity, such as a device, interface, or BGP neighbor, becomes unhealthy or drops below a specific baseline.

Note: All NMS policies are created on the Add Alert Policy page and only appear on the main Alert Policies list, never on the DDoS Defense page.

Policy Type

Description

Agent

Agent health (e.g., resource usage, status).

Agent Capability

Capability health (e.g., enablement, status).

BGP Neighbor

BGP peering session states and metrics (e.g., session state changes, advertised prefixes).

Component

Device component states and metrics (e.g., CPU, power supply).

Device

System-level device states and metrics (e.g., up/down status, CPU/memory).

Event

SNMP traps or syslog messages filtered via regex.

Interface

Interface states and counter metrics (e.g., oper status, traffic spikes).

Classic Threshold

Rolling window aggregations and classic baselines (average-over-time thresholds).

Custom

Any NMS measurement, including cloud and custom metrics from integrations.

Note: The filters on the Alert Policies and Alert Policy Templates pages determine which of these policy types appear in your active lists.