My Alerting Strategy: Getting the Right Alerts to the Right People

Alright, folks. Chris Wade here, back at it for agntlog.com. Today, we’re diving deep into something that, frankly, keeps me up at night. And I don’t mean the latest season of that sci-fi show – I mean the quiet dread that comes from a system that seems fine but is actually a ticking time bomb. We’re talking about alerting, specifically, the art and science of getting the right alerts to the right people at the right time. Because let’s be honest, a good alerting strategy is the difference between a minor hiccup and a full-blown, hair-on-fire incident.

The year is 2026. Everything is distributed, everything is microservices, and every third Tuesday, some new hotness drops that promises to solve all your monitoring woes. But at the end of the day, when things go sideways, it’s not the fancy dashboards that wake you up – it’s the alert. And if that alert is garbage, you might as well have stayed asleep. Or worse, ignored it.

I’ve seen it all, from the “every single error is a P1” panic-inducing firehose to the “we only alert when the database is completely offline” ostrich approach. Both are terrible. The first leads to alert fatigue, where engineers become so desensitized that they start treating critical alerts like spam. The second leads to users discovering your problems before you do, which is, universally, a bad look. My mission today is to help you find that sweet spot, that Goldilocks zone of alerting that actually helps you manage your agent fleet effectively.

The Alerting Trap: Why We Get It Wrong So Often

Let’s be real. Nobody wants bad alerts. But they happen. Why? A few reasons come to mind:

• The “More is Better” Fallacy: We configure every possible metric to trigger an alert, thinking we’re being thorough. Instead, we create noise.
• The “Set it and Forget it” Mentality: Alerts are configured during initial setup and then never revisited, even as system behavior changes or new components are introduced.
• Lack of Context: An alert fires, but it tells you nothing about the why. Is it a transient network glitch? A widespread service outage? A single misbehaving agent?
• Improper Triage: Alerts go to a general mailbox or a single team, regardless of who actually owns the component or can fix the problem.
• False Positives and Negatives: The classic dilemma. Too many false positives erode trust. Too many false negatives mean you’re flying blind.

I remember one particularly brutal incident a few years back. We had a new agent deployment going out to a subset of our customers. Everything looked green on the surface. Our general “agent health” dashboard was happy. Then, a customer called, furious, saying their data wasn’t showing up. Digging in, we found a very specific type of error log – a custom application error from the agent itself, not a system-level error. Our generic CPU/memory alerts weren’t firing because the agent was still “running,” just not doing its job correctly. We had overlooked alerting on application-specific metrics. It was a painful lesson in the difference between “alive” and “healthy.”

Beyond Uptime: Alerting on What Truly Matters

So, how do we fix this? We start by shifting our focus from simply “is it running?” to “is it doing what it’s supposed to do, and doing it well?” For agent monitoring, this means thinking about the full lifecycle and purpose of your agents.

1. Functionality Alerts: Is the Agent Doing Its Job?

This is where my anecdote above comes in. An agent can be up, consuming resources, but if it’s not collecting data, processing tasks, or communicating back to the central server, it’s effectively dead. Think about:

• Data Ingestion Rate: Is the agent sending data at the expected frequency and volume? A sudden drop could indicate a problem.
• Task Completion Status: If your agents perform specific tasks (e.g., file transfers, script executions), are those tasks succeeding? Are there timeouts?
• API Call Success Rate: For agents that communicate via APIs, monitor the success rate of those calls. A spike in 5xx errors from an agent is a huge red flag.
• Custom Application Metrics: This is huge. If your agent is a custom piece of software, instrument it! Expose metrics specific to its internal workings – queue sizes, processing times for internal modules, specific error counters.

Let’s say you have an agent that’s supposed to periodically upload log files. You could set up an alert like this:

# Prometheus/Alertmanager example
groups:
- name: agent-log-upload-alerts
 rules:
 - alert: AgentLogUploadStalled
 expr: sum(rate(agent_log_upload_total{status="success"}[5m])) by (agent_id) < 0.1 and on(agent_id) agent_info_up{job="log_agent"} == 1
 for: 15m
 labels:
 severity: critical
 annotations:
 summary: "Log upload stalled for agent {{ $labels.agent_id }}"
 description: "Agent {{ $labels.agent_id }} has not successfully uploaded logs for 15 minutes, but the agent process is still reporting as up. Investigate agent logs for specific errors."

This alert fires only if a specific agent, known to be running, hasn’t reported a successful log upload in 15 minutes. It’s targeted and provides context.

2. Resource Alerts: Is the Agent Misbehaving?

These are the classic CPU, memory, disk, and network alerts. While not always indicative of a functional problem, they can point to resource leaks, runaway processes, or contention issues that will eventually impact functionality. The key here is proper thresholds and baseline awareness.

• CPU Usage: High CPU can mean a runaway process or simply a busy agent. Differentiate between sustained high usage and transient spikes. Alert on sustained high usage relative to its baseline.
• Memory Usage: Gradual memory creep is often a sign of a leak. Alert on memory usage approaching system limits, but also consider alerting on a significant percentage increase over a recent baseline.
• Disk I/O: High disk I/O could impact the host system or indicate the agent is thrashing.
• Network Throughput/Errors: Unexpectedly high network usage could mean data exfiltration or misconfiguration. High network errors could indicate connectivity issues.

For instance, an alert for memory usage might look like this, but with a crucial difference:

# Prometheus/Alertmanager example (simplified)
groups:
- name: agent-resource-alerts
 rules:
 - alert: AgentHighMemoryUsage
 expr: (node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes * 100 > 85 and on(instance) node_namespace_pod_container:container_memory_usage_bytes:sum{container="your-agent"} > 0
 for: 10m
 labels:
 severity: warning
 annotations:
 summary: "Agent {{ $labels.instance }} on host {{ $labels.instance }} is using high memory"
 description: "Agent container for {{ $labels.instance }} is using over 85% of available memory for 10 minutes. Investigate for memory leaks or increased workload."

Notice the second part of the expression: and on(instance) node_namespace_pod_container:container_memory_usage_bytes:sum{container="your-agent"} > 0. This ensures we’re only alerting on actual agent containers, not just any process on the host, and helps filter out noise if the host has other services. This context is vital.

3. Connectivity & Health Alerts: Is it Even There?

These are your basic “is it alive?” checks. While simple, they’re foundational. But even here, there’s nuance.

• Agent Heartbeat: If your agents send regular heartbeats, monitor for their absence. A missing heartbeat is often the first sign of a truly dead agent.
• Process Status: Is the agent process actually running on the host? If it’s not, you’ve got a problem.
• Log Volume/Error Rates: While not strictly a connectivity alert, a sudden cessation of logs from an agent could mean it’s dead or disconnected. Conversely, a massive spike in error logs is a clear sign of distress.

My advice here is to layer these alerts. A missing heartbeat is often a critical alert. A sudden drop in log volume might be a warning, prompting a check before it becomes a full outage.

The Human Element: Routing and Escalation

Even the best alerts are useless if they don’t reach the right person in time. This is where your on-call rotations, escalation policies, and communication channels come into play.

• Severity Levels: Not all alerts are created equal. Use clear severity levels (info, warning, critical) and map them to different notification methods and escalation paths. A critical alert might page someone immediately. A warning might go into a Slack channel for review during business hours.
• Targeted Routing: Who owns the component the agent is monitoring or the agent itself? Alerts related to a specific agent type or customer environment should go to the team responsible for that. Don’t send everything to the central operations team if a development team can fix it faster.
• Context in Notifications: When an alert fires, the notification shouldn’t just be “Agent X is down.” It should include:
  • What is affected (e.g., “Log collection for Customer Y”)
  • Where it’s affected (e.g., “Agent ID Z on Host A”)
  • Why it’s firing (e.g., “No successful log uploads in 15 minutes”)
  • Links to relevant dashboards or runbooks.
• Deduping and Suppression: If 100 agents go down because of a network issue, you don’t need 100 individual alerts. Alert on the root cause (the network issue) and suppress the individual agent alerts. Alerting tools like Alertmanager excel at this.

I once worked on a system where every single alert, regardless of severity, went to the primary on-call engineer’s pager. You can imagine the burnout. We implemented a tiered system: PagerDuty for critical, Slack for warnings, and email for informational. It drastically reduced false alarms interrupting sleep and allowed the team to focus on real issues.

Actionable Takeaways for Better Agent Alerting

1. Define “Healthy” for Each Agent Type: Go beyond “up.” What specific metrics truly indicate your agent is performing its intended function?
2. Instrument Your Agents: If your agents are custom, add application-specific metrics and expose them. This is non-negotiable for robust alerting.
3. Baseline, Then Alert: Understand normal behavior. Alert on deviations from the baseline, not just arbitrary static thresholds.
4. Layer Your Alerts: Combine different types of alerts (functionality, resource, connectivity) to build a comprehensive picture.
5. Prioritize and Route Thoughtfully: Map alert severities to impact and ensure notifications reach the right team with sufficient context.
6. Regularly Review and Refine: Your systems evolve, and so should your alerts. Conduct post-mortems on incidents to identify alerting gaps. Periodically review your alert definitions to ensure they’re still relevant and not generating false positives.
7. Embrace Observability Tools: While this article focuses on alerts, good alerts rely on good data. Invest in robust logging and metrics collection tools to give your alerts the foundation they need.

Alerting isn’t a “set it and forget it” task. It’s an ongoing process of refinement, learning, and adaptation. But by focusing on what truly matters – the functionality and health of your agents – and by being thoughtful about how and when you notify, you can turn the quiet dread of the unknown into the quiet confidence that comes from knowing your systems are being watched, and you’ll be the first to know when they need your attention. Until next time, keep those agents humming, and your alerts intelligent!

🕒 Published: May 18, 2026