Query - How to monitor a process running on multiple hosts using Kibana Rules?

sangameshcs · May 11, 2022, 12:37pm

Hi, is there any way to monitor a process running on multiple remote hosts using Kibana Rules,

I tried using Metric threshold type of rule and was checking the number of documents related to the process to monitor if a process is running or not ( 0 docs returned means the process is not running). And I am facing a scenario here i.e. when the process is not running the doc count will be zero and the rule should trigger an alert but it does not since it is not considering the doc count equals 0 but instead it is treating the scenario as exceptional case i.e. no data found and is not triggering an alert

If you have any suggestions on how to handle this scenario it would be very helpful

Adriann · June 7, 2022, 11:21am

If your way is not working I imagine that you (probably not the most beautiful one) could be using ingest pipeline to check every document related to running processes and add a field that says process.type.alert: "True" if this is the process you want to have an alert on. On all the other sets "False". Then you would create a log threshold alert like this but with "cisco.asa.rule_name" to be one that relates to process document and "log.level" to be the "process.type.alert"

system · July 5, 2022, 11:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.