Alert when host(server) is down

Elastic Stack Elastic Agent
1

Hello everyone!

Could you please tell me if there are any ways to create an alert if some server is down or elastic-agent stopped send logs to the Elastic

2

Hi @bex, Welcome to the Elastic Community.

If you're collecting system metrics using elastic agent or beats, you can just create a metric alert and there's an option to be alerted when it stop sending data.

3

Hello @ashishtiwari1993
Thanks for your reply.

Did I get it right that a metric alert can be used to trigger when a host stops sending data? If so, would I need to create a separate metric for each host? For example, if I have 10,000 hosts, is there any other way?

4

I think you can use just one rule and it will aggregate by host, but I do not use this.

There is an issue from 2020 about implementing a built-in alert feature for Fleet Managed Elastic Agents, it is this one: Provide Kibana Alerting functionality for Fleet · Issue #79310 · elastic/kibana · GitHub

Unfortunately it was closed because you can now alert based on count of active agents, but this does not work for most of the use cases.

There are some internal Enhancement Requests, but no change until now.

Not having built-in alert features if an agent is online or not is a huge miss in my opinion and none of the alternatives works well.

5

Have you tried this?

You can set up an alert to notify you when one or more Elastic Agents goes offline:

  1. In Kibana, navigate to Management > Stack Management > Rules.
  2. Click Create rule.
  3. Select Elasticsearch query as the rule type.
  4. Choose a name for the rule, for example Elastic Agent status.
  5. Select KQL or Lucene as the query type.
  6. Select DATA VIEW metrics-* as the data view.
  7. Define your query, for example: fleet.agents.offline >= 1.
  8. Set the alert group, threshold, and time window. For example:
  • WHEN: count()
  • OVER: all documents
  • IS ABOVE: 0
  • FOR THE LAST 5 minutesThis will generate an alert when one or more agents are reported by the fleet.agents.offline field over the last five minutes to be offline.
  1. Set the number of documents to send, for example:
  • SIZE: 100
  1. Set Check every to the frequency at which the rule condition should be evaluated. The default setting is one minute.
  2. Select an action to occur when the rule conditions are met. For example, to set the alert to send an email when an alert occurs, select the Email connector type and specify:
  • Email connector: Elastic-Cloud-SMTP
  • Action frequency: For each alert and On check intervals
  • Run when: Query matched
  • To:
  • Subject:
  1. Click Save.

The new rule will be enabled and an email will be sent to the specified recipient when the alert conditions are met.