Segregating Servers and Endpoints to have different rules applied to them. #12117
Replies: 1 comment 1 reply
-
|
If you have an Elastalert rule already, have you tried a blacklist rule using |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks for that suggestion! I will give that a try. I was able to get it to work the way I wanted by filtering on only "server" OS's in the rule. But I think your solution is more elegant. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hey! If you guys happen to meander onto this thread and might be able to throw some knowledge my way, I would greatly appreciate it!
This is what I am wanting to do:
I want to build a rule that alerts me when a server has not sent any logs in an hour. Thats easy I can do that with elastalert.
But,
I only want to alert to servers, not endpoints with this rule as Endpoint alerts would drown me in chaff.
The question is:
Is there a good way anyone knows to accomplish this? I have thought about making a new policy for only servers, but if I did that I am still not sure how to only apply that rule that fleet policy. I've thought about just filtering out all the endpoints, but that sounds like a nightmare. Maybe if I can link it to a doc it would not be so bad? I am not sure if that's a possibility.
I am almost positive there is some super easy and supported way of doing this, but I am clueless about it!
Any comments or ideas is appreciated!
Beta Was this translation helpful? Give feedback.
All reactions