Best approach to monitor a Linux Service with the Elastic Agent?

fer.mt · February 4, 2026, 6:05pm

Hello!
I have a software that is critical for us so we want to monitor its availability. We want to start by monitoring the process/service that it creates when running. The software runs on Linux systems. Currently, I have install the elastic agent and configured the policy to retrieve System process metrics.

And I am in fact receiving document when the process(BESClient specifically) is running. However, I need to create a monitor rule that triggers when the process is not running. I tried defining a rule to alert me when there was 1 or less documents in the last 5min but that doesn’t trigger anything.

How can I accomplish this?

Tortoise · February 5, 2026, 2:04am

Hello @fer.mt

Welcome to the Community!!

Below few pointers could help to understand & troubleshoot further :

Could you please share what is the time duration used to monitor this service? Last 5/10/15/30 minutes?

Can you try executing the query in the Discover tab to see what is the output for the query and the records that are returned?

Ideally if the service is down & there is no record for this process your alert should trigger when you check say for last 5/10 min but if time duration is 24 hours than the rule might not trigger as older records will satisfy the condition.

Thanks!!

fer.mt · February 5, 2026, 4:46pm

I am using Last 5 minutes.
There are no results for the agent when the process is not running, results come back once I re-enable the process.
I enabled the option “Alert me if there's no data” and that will trigger the alert in Elastic.
Is that a good approach?

fer.mt · February 5, 2026, 5:20pm

Update: My approach worked when there is one single agent in the Fleet policy, once I added a second one the alert rule doesn’t trigger. Even though I group by host.name the alerts.
I think it is not working because while the process is not running on one of the hosts it is running on the other and the query is indeed returning results.

Is there any approach to this?

Tortoise · February 6, 2026, 5:27pm

Hello @fer.mt

It seems the alert does not trigger as there are no records to group by , if the record exists & condition meets than it uses group by so say the usecase will be hostname is sending up/down messages & if down, group by hostname in this scenario it will create trigger for different hostnames. In your case since the record is not received say for 4/5 hostname it will not be able to throw alert for 4 hostnames.

One way is using Watcher similar usecase :

You will have to add all the hostnames in an array for which you expect a record [ ] & if count is 0 for any of the host it will add that in the list for missing hostnames.

Example in case of kibana data : kibana_sample_data_ecommerce

Output when it checks for last 15 minutes record received has count < 1 group by Gender :

   "missing_gender": [
              "FEMALE"
            ],
            "seen_gender": [
              "MALE"
            ]
          }

Thanks!!

Topic		Replies	Views
Alert when host(server) is down Elastic Agent	4	701	November 21, 2024
Is it possible to create an alert in case an Elastic Agent goes offline? Elastic Agent elastic-stack-alerting	3	1178	December 9, 2023
How to create a watcher alert if a specific service goes down on a system which is monitored using metricbeat agent? Elasticsearch elastic-stack-alerting	5	1924	August 12, 2021
Kibana watcher alerting for Elastic agents Kibana elastic-stack-alerting	1	166	September 13, 2023
Monitoring Process in Windows Beats elastic-agent	3	1263	October 26, 2021

Best approach to monitor a Linux Service with the Elastic Agent?

Related topics