How to alert if fleet agent goes 'offline' #14876
Replies: 2 comments
-
|
you might be able to query the fleet api to get the agent status and ingest that into ES periodically via integration / cron job. With that you could create your detection rule https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-agents-agentid |
Beta Was this translation helpful? Give feedback.
-
|
This will query the Fleet API for offline clients - if you run it in a cron, write the output to a file, then ingest the file and write a Sigma rule for it you should be all set. curl -s -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/agents?kuery=status:offline" -H 'kbn-xsrf: true' | jq -r '.list[] | select((now - (.last_checkin | fromdateiso8601)) > 300) | {hostname: .local_metadata.host.hostname, last_checkin: .last_checkin}' |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I've spent some time Hunting for logs that I can use to alert when a high priority fleet agent goes 'offline', but I can't find it anywhere. The agent shows 'offline' in the 'Elastic Fleet' area of Kibana, but the SO Hunt interface seems to be filtering out those type of logs. The goal is to create a Detection rule to alert when that host goes 'offline'. Ideas?
Beta Was this translation helpful? Give feedback.
All reactions