Luzilla · xelite · Apr 12, 2024
diff --git a/README.md b/README.md
@@ -110,6 +110,47 @@ If the exporter is configured for DNS based blacklists, the ip label represents
 
 If you happen to be listed — inspect the exporter's logs as they will contain a reason.
 
+#### Alerting                                                                                                                                                                                                      
+
+Example prometheus alerts.
+
+##### prometheus
+```yaml
+alerts:
+  groups:
+    - name: dnsbl-exporter
+      rules:
+        - alert: DnsblRblListed
+          expr: luzilla_rbls_ips_blacklisted > 0 
+          for: 15m 
+          labels:
+            severity: critical
+          annotations:
+            description: Domain {{ $labels.hostname }} ({{ $labels.ip }}) listed at {{ $labels.rbl }}
+            summary: Domain listed at RBL 
+            runbook_url: https://confluence/display/runbooks/DnsblRBLListed+runbook
+```
+
+##### prometheus-operator
+```yaml
+apiVersion: monitoring.coreos.com/v1                                                                                                                                                                               
+kind: PrometheusRule
+metadata:
+  name: dnsbl-rules
+spec:
+  groups:
+    - name: dnsbl
+      rules:
+        - alert: DnsblRblListed
+          expr: luzilla_rbls_ips_blacklisted > 0 
+          for: 15m 
+          labels:
+            severity: critical
+          annotations:
+            description: '{{ $labels.hostname }} ({{ $labels.ip }}) has been blacklisted in {{ $labels.rbl }} for more than 15 minutes.'
+            summary: 'Endpoint {{ $labels.hostname }} is blacklisted'
+```
+
 ### Caveat
 
 In order to use the exporter, a _proper_ DNS resolver is needed. Proper means: not Google, not Cloudflare, nor OpenDNS or Quad9 etc..