Hello All,
Im trying create an alert when when Log Source last event received is < 24 Hours OR a dashboard which displays log Source which is not sending logs since last 24 hours.
I was able to build a dashboard with latest event received timestamp but not able to compare the timestamp. like -- timestamp < 24 Hours
The idea is to identify the Log Stoppages - the hosts not sending logs to SIEM -
any ideas on achieving this is appreciated.
Thanks
Hi @Shinej
There is a pretty cool way to do this using a latest transform with the host.name
Take a look at this this particular example is it about users
But I actually did this same thing for last log from each host.
Basically the latest transform just keeps the latest log from each host.
Then you can just check / alert which host have not reported in in the last 24 hours.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.