Monitoring the usage of your web API

At my previous job we would sometimes have an overloaded web API and would need to grep through endless log output to find the culprit. Most of the time it turned out to be a misbehaving client, which was for example updating something every second instead of every hour. Do you monitor for things like this? How?

Frank Groeneveld

posted to

Developers

on April 12, 2021

Say something nice to webindie…

Post Comment

3

Simple way to detect/alert on misbehaving clients is to implement rate limiting for your API and then add an alert when a rate limit is hit.

ezekg

·
3 years ago
·
Reply
1. 1
  
  Simple but effective, thanks!
  
  webindie
  
  ·
  3 years ago
  ·
  Reply
2

We log everything to our cloud provider, and then have a worker scan every log message and alert on expected problems. Our solution usually looks like this: Monitoring and logging levels.

wparad

·
3 years ago
·
Reply
1. 1
  
  Interesting, thank you! Does it also recognize "over usage" or misbehaving clients such as in my example? It seems pretty difficult to me to automate that. Would a kind of dashboard be possible?
  
  webindie
  
  ·
  3 years ago
  ·
  Reply
  1. 2
    We put AWS CloudFront in front of our APIs, and then we use:
    
    WAF which is a global rate limiter for really bad clients
    AND
    
    CF logs which record who the user is (as we require authentication on our APIs)
    
    We write the results to our database when the logs show up and then "do things" with the resultant data.
    
    wparad
    
    ·
    3 years ago
    ·
    Reply
    1. 1
      
      Sounds handy, thanks! I want to avoid using Amazon/Google/Microsoft, so I'll have to search for other solutions.
      
      webindie
      
      ·
      3 years ago
      ·
      Reply
      1. 2
        
        That's going to be hard to justify, especially for an indie hacker. For CDN/WAF protection, Cloudflare also offers a solution.
        
        wparad
        
        ·
        3 years ago
        ·
        Reply
1

A bezel of a monitor is the border between the screen and frame of a computer, smartphone, or any other computing device. It is present there to protect the edges of the display from getting chipped or damaged. bezel-less monitor reviews

gfhgj

·
a year ago
·
Reply
1

I want implement something similar just wanted to check has anyone used apigee proxy for their API's?

aditodkar

·
3 years ago
·
Reply
1
Here are some things we put in place to keep our API ecosystem solid:
- WAF Protection - such as Cloudflare.
- Rate Limiting based on IP. Sometimes users are testing and don't mean to send 1,000 requests a second - you need to protect both them and yourself by putting in a reasonable limit over x time period.
- Alerts and reports - if a rate limit is hit, alert both your user and internally. Also a daily report of who are your most active users is valuable.
If you want a 3rd party service to manage your API, I've used Apigee and I know AWS has one too.
gbourne

·
3 years ago
·
Reply
1. 1
  
  @gbourne Is rate limiting feature based on ip reliable? Or are there any problems?
  
  ayyappa99
  
  ·
  3 years ago
  ·
  Reply
  1. 2
    
    Our rate limiting we have in house and not using Cloudflare or another provider. Something like AWS API Gateway can do the rate limiting if you want.
    
    gbourne
    
    ·
    3 years ago
    ·
    Reply
    1. 2
      
      I'm on GCP. Just wondering if CloudFlare's or any service which rate limits based on IP address is good enough for production. Won't AWS gateway charge for block requests(which are rate limited)?
      
      ayyappa99
      
      ·
      3 years ago
      ·
      Reply
2. 1
  
  Thanks! Did you like Apigee?
  
  webindie
  
  ·
  3 years ago
  ·
  Reply
  1. 1
    
    It is great, but not cheap.
    
    gbourne
    
    ·
    3 years ago
    ·
    Reply
1

This comment was deleted 2 years ago.

jameson4177

·
2 years ago