Monitoring & Alerting

KoreShield includes a production-grade monitoring system with Prometheus metrics export, rule-based alerting, and multi-channel notifications.

Prometheus Metrics

Access metrics at GET /metrics in Prometheus exposition format.

Available Metrics

Metric	Type	Labels	Description
`koreshield_requests_total`	Counter	`method`, `endpoint`, `status`	Total requests processed
`koreshield_requests_duration_seconds`	Histogram	`method`, `endpoint`	Request duration
`koreshield_attacks_detected_total`	Counter	`attack_type`, `severity`	Attacks detected
`koreshield_requests_blocked_total`	Counter	`reason`	Requests blocked
`koreshield_provider_requests_total`	Counter	`provider`, `status`	Requests sent to providers
`koreshield_provider_latency_seconds`	Histogram	`provider`	Provider response latency
`koreshield_active_connections`	Gauge	-	Active connections
`koreshield_memory_usage_bytes`	Gauge	-	Memory usage
`koreshield_cpu_usage_percent`	Gauge	-	CPU usage

Alert Rules

Define alert rules in the KoreShield Dashboard (hosted) or your deployment configuration (self-hosted). Rules are evaluated periodically against collected metrics.

# Self-hosted example
alerting:
  enabled: true
  rules:
    - name: "High Attack Rate"
      condition: "attacks_detected > 10"
      severity: "warning"
      channels: ["email", "slack"]
      cooldown_minutes: 5
    - name: "Provider Down"
      condition: "healthy_providers == 0"
      severity: "critical"
      channels: ["email", "webhook", "pagerduty"]
      cooldown_minutes: 10

Condition DSL

Alert conditions use a safe expression parser (no eval). Supported:

Comparisons: >, >=, <, <=, ==, !=
Boolean logic: and, or, not
Arithmetic: +, -, *, /, %
Metric variables: attacks_detected, healthy_providers, requests_total, etc.

Severity Levels

info - informational, no action needed
warning - investigate soon
error - requires attention
critical - immediate action required

Alert Channels

Email

email:
  enabled: true
  smtp_server: "smtp.gmail.com"
  smtp_port: 587
  use_tls: true
  username: "alerts@example.com"
  from_address: "alerts@koreshield.com"
  recipients: ["security@yourcompany.com"]

Slack

slack:
  enabled: true
  webhook_url: "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK"

Microsoft Teams

teams:
  enabled: true
  webhook_url: "https://your-org.webhook.office.com/webhook/YOUR-TEAMS-WEBHOOK"

PagerDuty

pagerduty:
  enabled: true
  routing_key: "your-pagerduty-routing-key"

Generic Webhook

webhook:
  enabled: true
  url: "https://your-webhook-url.com/alert"

Monitoring Loop

When monitoring.enabled is true, the system runs a background loop at the configured interval:

monitoring:
  enabled: true
  check_interval_seconds: 60

Each cycle:

Collects current metrics (requests, attacks, errors, connections)
Evaluates all enabled alert rules
Sends notifications via configured channels (respecting cooldown)

Settings for full config reference
REST API for the /metrics endpoint
WebSocket for real-time event streaming

Prometheus Metrics​

Available Metrics​

Alert Rules​

Condition DSL​

Severity Levels​

Alert Channels​

Email​

Slack​

Microsoft Teams​

PagerDuty​

Generic Webhook​

Monitoring Loop​

Related Docs​