I'm using Elastic Agent with Fleet and I can see the agent status (e.g., healthy, offline) from the Fleet → Agents UI in Kibana.
Now, I want to create an alert that triggers when an agent goes offline for more than 15 minutes. Ideally, I'd like to:
Automatically detect this using the agent’s status in Fleet
Set up an alert rule in Kibana (Stack Management → Rules)
Optionally get notified via email or Slack when an agent status changes to offline
I’m aware that Fleet stores metadata in the .fleet-agents and .fleet-agent-events indices, but I’m not sure what the recommended approach is for alerting on offline agents.
Can anyone from the community or Elastic team guide me on:
Best practices for alerting on offline agent status
Whether querying .fleet-agents directly for status: "offline" is stable and recommended
Whether there's a built-in rule type or future feature planned to support this natively in Fleet
Any help, shared rule examples, or recommended methods would be greatly appreciated!
Considering that Fleet unfortunately still does not have any built-in alerts for individual agents I don't think that there are any recommended approachs on how to alert on offline agents.
So you may use what works better for you.
There are nothing official, so you need to build some custom monitoring by doing queries on the fleet internal indices or using the Fleet API.
I use the Fleet API to get information about the agents and index it on a custom index, then I create alerts on the data of this custom index.
Thanks for sharing your approach!
Just to clarify — are you running the Fleet API queries on a scheduled basis (like via a cron job or scheduled task), or are you using something like Watcher or another tool to handle the automation? Would love to know what’s worked best for you in terms of keeping the data up-to-date.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
