No alerts from Elastic agent

[Chizan-Dolrocks]

Hello,

I just wanted to know if I'm the only one having this problem: When I go into the Elastic Fleet manager and click on an agent to click on "View more agent metrics" The links on the left in the "Agent Health" section such as "Overview", "Agent Information", "Agent Metrics" or "Integrations" lead to a page that contains no data.

Thank you.

[weslambert]

What do you mean by alerts? We recommend reviewing alerts inside of SOC Alerts.

The Elastic Agent dashboards haven't been tested extensively.

I don't think we collect metrics by default because of the potential immense volume and requirement for storage, so there may not be data to populate the Metrics dashboard.

I have data on the Integrations page.

[Chizan-Dolrocks]

It's just that we don't have alerts in SOC, but we have data on the Integration page too.

[weslambert]

From the picture it looks like you have data from Suricata, so you should have alert data provided that you are not using Suricata for metadata and have Zeek data.

Do you see any data is you use the following query in SOC Hunt?

event.module:suricata

[Chizan-Dolrocks]

Sorry for the delay, but I have suricata alerts in SOC :

but I just don't get the Elastic Agent alerts in SOC.

in kibana we have this :

error.message	failed in Fleet agent final_pipeline: Text '2023-12-24T07:36:54.599Z' could not be parsed at index 20

[dougburks]

Have you tried going to Playbook and activating plays for alerts that you would want to see?
https://docs.securityonion.net/en/2.4/playbook.html

[Chizan-Dolrocks]

Now I have alert from playbook, but I wanted to know if I could get alerts from elastic agent like event.module

Thank you

[dougburks]

Playbook is running queries against your Elastic Agent data.