Hello Team,
Please help me to understand the best way to create the log stoppage alert for critical servers. It should be index specific.
For example: Index "A" contains 3 Firewall device logs- fw1,fw2,fw3
Need to get the email alert if Elasticsearch stop receiving logs from any of the 3 firewall logs for last 10minutes.
Can i use Security>detection>Threshold Rule type for this OR
OBservability>logs>alert ?
Please help me with a sample.
Thanks in advance
Waiting for a feedback on above mentioned query.
I think you could create this alert with the index threshold alert.
The docs show an example similar to what you probably want. For yours, you'd want the condition to be the count of documents over a certain amount of time is zero (or less than you would expect).
The elasticsearch query alert is also available, which allows for more customized queries.
Thank you @Patrick_Mueller for the valuable feedback.
If I have 50 servers(50 hostname fields) in the index. For getting alerts if any of the server stop sending logs for last 30minuts. Can I use threshold index alert as mentioned below?
INDEX Index_name
WHEN count()
"GROUPED OVER top 50 'host.hostname'
Condition:
IS BELOW OR EQUALS 0
FOR THE LAST 30 minutes
Thanks in advance
I have tried the above logic and its not triggering the alert when one of the hostname stop sending logs for more than 30minutes.
Ah, I think there will be a problem with this due to the lack of data from these servers, when they are down. Probably the best you can do is have an alert that checks if the count is below some expected level - and that would only alert for a while; after the hostname is no longer logging, the alert will presumably recover. It might be useful, hard to say. You could also look into using the elasticsearch query alerting rule type - if you could fashion a query that would return the info you want.
Have you looked into using Uptime Monitoring for this? Rather than use a general purpose alert, presumably an uptime alert may be more appropriate for this.
There is no option to aggregate the hostnames in Elasticsearch query alerting rule type.
Uptime Monitoring there is no option to query against a specific indices.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.