Solved

Detecting devices not sending logs


Userlevel 3
Badge +8

Hi 

I know the following query can be used to create an alarm with devices that haven’t been sending logs 
| chart count() by device_ip | search ‘count()’ = 0

However, in cases where I have multiple IP’s for a single device this won’t work as the ones not sending data will come up in the search result even though the device is sending data from another IP. Another case where I have issues, is when pulling data with for instance the O365 fetcher which will have device_ip of the localhost which will also be the case for the internal LogPoint logs. One way could be to create alerts on the individual repo’s with some specific characteristics, but I would like to avoid creating multiple alerts for the same to reduce search load. 

Any ideas how to build a single alert for detecting devices not sending logs with multiple IP’s and fetchers not fetching any data? 

icon

Best answer by Nicolai Thorndahl 28 May 2021, 11:44

View original

13 replies

Userlevel 1

Hi,

have you tried this variant?

| chart count() by device_name | filter 'count()'=0

It *should* cover the case of multiple IPs

 

For O365 I have not been able to test but you could try

col_type=*o365 | chart count() by col_type | filter 'count()'=0

 

Regards,

Henrik

Userlevel 3
Badge +8

Hi,

have you tried this variant?

| chart count() by device_name | filter 'count()'=0

It *should* cover the case of multiple IPs

 

For O365 I have not been able to test but you could try

col_type=*o365 | chart count() by col_type | filter 'count()'=0

 

Regards,

Henrik

Thanks Henrik! Will give it a try. 

Userlevel 1

I managed to get an extra asterisk in there, use this instead:

col_type=o365 | chart count() by col_type | filter 'count()'=0

Userlevel 1

Actually, since we are filtering on the collection type for Office365 we could probably simplify it further:

col_type=o365 | chart count() | filter 'count()'=0

This query really only makes sense in an alert rule :-)

 

/Henrik

Thanks

Thanks!

Hi,

have you tried this variant?

| chart count() by device_name | filter 'count()'=0

It *should* cover the case of multiple IPs

 

For O365 I have not been able to test but you could try

col_type=*o365 | chart count() by col_type | filter 'count()'=0

 

Regards,

Henrik

Can you validate this with a screendump? When changing to using the device_name in the search, we get no results returned. But when using the original search with device_ip, we get results from several nodes which we are not receiving logs from.

Hi,

I do not understand, how the search will check against the list of all configured devices in Logpoint ?

Can anybody explain it for me? 

Thanks

 

Roland

 

 

 

Userlevel 3
Badge +8

Hi Roland 

This is a feature: 
To accommodate the special case of device not sending logs, the query for getting logs count from device IPs is treated differently and would be instantiated with all the applicable registered devices initialized with count zero.  It is initialized in the indexsearcher service which computes all the device IPs that can send to that particular repository within the user’s permission.

After initialization, rest of the computation would be similar to any other queries.

Besides this there is also the simple use case to check if any logs are received in the Repo, this can be achieved by configuring an alert rule with the following parameters:
Query: | chart count()
Condition: less than “1”
Repo selection: select only 1 repo. 

/Nicolai 

Userlevel 3
Badge +3

Hi,

For a Use case where you want to alert on multiple repos at once, you can use this solution:
 

  1. Create a Dynamic List which will be populated with the field value “repo_name” from all repositories you want to monitor
  2.  Make a CSV file containing the field value “repo_name” followed by the names of the repos you want to monitor
  3.  Make an alert that populates the Dynamic list with repositories that are receiving logs
    Query: | chart count() as cnt by repo_name | filter cnt > 0 | process toList(DLIST_REPO, repo_name)
  4.  Make an alert that compares the Dynamic list and the Dynamic Table and fires when a repo_name is missing in the Dynamic List compared to the Dynamic Table.
    Query: table "Dynamic_Table_enrichment_repo" | search -repo_name in DLIST_REPO | chart count() by repo_name


Other than that there is also a Vendor Rule to alert on a single repo not receiving logs for half an hour.
Vendor Rule: LP_Default Device Stopped Sending Logs for Half an Hour


/Gustav

Userlevel 4
Badge +8

Hi,

have you tried this variant?

| chart count() by device_name | filter 'count()'=0

It *should* cover the case of multiple IPs

 

For O365 I have not been able to test but you could try

col_type=*o365 | chart count() by col_type | filter 'count()'=0

 

Regards,

Henrik

Can you validate this with a screendump? When changing to using the device_name in the search, we get no results returned. But when using the original search with device_ip, we get results from several nodes which we are not receiving logs from.

 

We see exactly the same problem.

It would be great to have search query which also respects the case when a device has multiple IPs (e.g. for fallback) and sends logs from at least one IP.

Userlevel 4
Badge +8

Just added an idea for this:

https://logpoint.ideas.aha.io/ideas/LP-I-211

Feel free to give it a vote!

Hi,

For a Use case where you want to alert on multiple repos at once, you can use this solution:
 

  1. Create a Dynamic List which will be populated with the field value “repo_name” from all repositories you want to monitor
  2.  Make a CSV file containing the field value “repo_name” followed by the names of the repos you want to monitor
  3.  Make an alert that populates the Dynamic list with repositories that are receiving logs
    Query: | chart count() as cnt by repo_name | filter cnt > 0 | process toList(DLIST_REPO, repo_name)
  4.  Make an alert that compares the Dynamic list and the Dynamic Table and fires when a repo_name is missing in the Dynamic List compared to the Dynamic Table.
    Query: table "Dynamic_Table_enrichment_repo" | search -repo_name in DLIST_REPO | chart count() by repo_name


Other than that there is also a Vendor Rule to alert on a single repo not receiving logs for half an hour.
Vendor Rule: LP_Default Device Stopped Sending Logs for Half an Hour


/Gustav

Hey I know this Topic is a bit older.
you say on the Bottom there that, the LP_Defaul Device Stopped Sending Logs Rule, could only be used for a Single Repo not Receiving Logs, but could you not just Edit the Rule to be using, Multiple or even all Repos Technically?

Reply