> For the complete documentation index, see [llms.txt](https://docs.portainer.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.portainer.io/sts/user/alerting/alerting-rules.md). # Alerting rules The tables below list each available alert rule with a description of what it monitors, whether it is editable, and the set conditions - or default conditions - required to trigger it.
### Portainer | Rule | Description | Trigger details | | -------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------- | | Backup Failure | Alert when a backup operation fails. |

Not editable.
Triggers a critical alert for 1 failed backup operation.

| ### Security | Rule | Description | Trigger details | | ------------------------------------------ | ------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Brute Force Attack | Alert on a specified number of authentication failures in a specified amount of time. |

Editable.
Defaults to critical when there is over 150 failed authentications over a 5-minute window.

| | High Authentication Failures (Single User) | Alert when a single users authentication fails exceed a specified amount in a specified amount of time. |

Editable.
Defaults to warning when a single user fails authentication over 10 times in a 5-minute window.

| | TLS Certificate Expired | Alert when TLS certificate for Portainer has expired. |

Not editable.
Triggers a critical alert for a expired TLS certificate.

| ### Environment | Rule | Description | Trigger details | | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Environment Down | Alert when an environment becomes unhealthy or down (status 2). |

Not editable.
Triggers a critical alert for 1 down or unhealthy environment.

| | Environment High CPU Usage % | Alert when environment CPU usage exceeds the configured threshold. |

Editable for each severity.
Defaults to:
- Critical at 95% CPU usage,
- Warning at 85% CPU usage,
- Info at 70% CPU usage.

| | Environment High Memory Usage % | Alert when environment memory usage exceeds the configured threshold. |

Editable for each severity.
Defaults to:
- Critical at 95% memory usage,
- Warning at 85% memory usage,
- Info at 70% memory usage.

| | Environment High Network Usage (Inbound and Outbound) | Alert when environment network usage exceeds the configured threshold in the specified amount of time. |

Editable for each severity.
Defaults to:
- Critical at 1 GB usage,
- Warning at 500 MB usage,
- Info at 200 MB usage
in less that 15 minutes.

| | Etcd Unhealthy | Alert when the Kubernetes API server cannot reach etcd. Use of this alert requires a standard etcd setup - the API server must connect to etcd over a real network or local socket. Not reliable on distributions that use SQLite as the backing store (such as single-node k3s or k0s), as those always report etcd as healthy regardless of storage state. Check your distribution's documentation before enabling. |

Editable.
Defaults to critical when the Kubernetes API server cannot reach etcd for 5 minutes.

| | Kubernetes API Server TLS Certificate Expiry | Alert when the Kubernetes API server TLS certificate expires within the configured number of days. |

Editable for each severity.
Defaults to:
- Critical at 7 days until expiry,
- Warning at 14 days until expiry.

| | Kubernetes API Server Unhealthy | Alert when the Kubernetes API server reports unhealthy on its liveness probe `/livez`. This detects a degraded-but-running API server. |

Editable.
Defaults to critical when the Kubernetes API server reports unhealthy for 5 minutes.

| | Kubernetes API Server High Request Latency | Alert when Kubernetes API server internal request latency exceeds the configured threshold. |

Editable for each severity. Defaults to:
- Critical when internal request latency exceeds 4 seconds,
- Warning when it exceeds 2 seconds
For more than 5 minutes.

| | Node NotReady | Alert when a node is NotReady for the configured duration. Cordoned nodes are excluded. |

Editable.
Defaults to critical when the node is NotReady for 5 minutes.

| --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.portainer.io/sts/user/alerting/alerting-rules.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.