Skip to content

system_fails_to_provide_data

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

system_fails_to_provide_data

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
scripts
scripts
 
 
tests
tests
 
 
README.md
README.md
 
 
mapping.json
mapping.json
 
 
watch.json
watch.json
 
 

README.md

System Fails to Provide data

Description

Alert if a system/host that was providing logs has stopped.

A system not providing logs is defined as “The system provided logs in the last N minutes but has not in the last X minutes”. For example, “The system provided logs in the last 24 hrs but has not in the last 5 minutes”. X and N are configurable.

Mapping Assumptions

A mapping is provided in mapping.json. Watches require data producing the following fields:

  • host (non-analyzed string) - Contains the host name from which the message originated.
  • @timestamp (date field) - Date of log message.

Data Assumptions

The watch assumes each document in Elasticsearch represents a log entry.

Other Assumptions

  • All events are index "log" and type "log".

Configuration

The following watch metadata parameters influence behaviour:

  • window_period - The period N (hrs) over which which the list of total known systems should be collected. Defaults to 24hrs.
  • last_period - The period X (mins) in which all hosts should respond with a log message. Defaults to 5 mins.