Getting false alerts for inactive devices

Question

Hello,

to get noticed when a device is no longer sending logs i created an alert that uses this search query:

device_ip in DG_AKTIVE_GERAETE | chart count() by device_name,device_ip | search 'count()' = 0

(AKTIVE_GERAETE is a device group i put all the devices in that should be monitored).

The alert runs every two hours and nearly every day at the same time (1am) i get an alarm per email that one of our firewalls didn’t send logs. I am pretty sure that is a false positive.

However, when clicking of the link in the email, i indeed see a hit.

But when searching again by clicking on search, there isn’t a hit anymore.

Displaying all logs from this device for the last 24 hours also does not show any missing logs for this time

So, as i said, pretty sure it is a false positive.

The alert is always triggered for the same device and always for the same timeframe (23pm and 1am), so i was thinking that the LP wants me to somehow acknowledge it before stopping to trigger it. But i already marked and closed all incidents of the alarm at one point, but the next day the alarm was triggered again.

Here is the configuration of the alert:

Anybody got any ideas ? Am i missing something ? I know the next LP version will have the detection of inactive device “build in”, but i am curious what is going on here.

Andre

markus.nebel@8com.de · Accepted Answer

Hello @Andre Kurtzwe are using the following query for this, and it seems to be stable:| chart count() as CN by device_ip,device_name order by device_name asc| search CN=0 -(device_name in EXCLUDE_DEVICE_NAME_NOT_SENDING_LOGS) | fields device_ip, device_nameThe list EXCLUDE_DEVICE_NAME_NOT_SENDING_LOGScontains the device_names of systems that are known to send logs very rarely (e.g. switches or clients).The alert has to run on all repos except the logpoint default repos.Search time range is 1 days while defined search interval is1439 minutes.This works reliable for us.

Andre Kurtz · Answer

Hi Markus,thnaks for your answert and sorry for the late response, have been busy the last couple of weeks.Lookin at your search query i do not see that big a difference from the one we are using. Using a time value of 1439 seems interesting, escpecially because i was thinking of changing it in the same way (subtracting 1 from the intervall the search query is running)However, i was not aware that LP released 6.12.2 flex patch a couple of weeks ago. Installed it a few days after posting here and haven’t had a false alarm every since. Whether it was a bug in 6.12.0 or a reboot fixed the issue, i do not know.Andre

Reply

Sign up

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Login to the community

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Scanning file for viruses.

This file cannot be downloaded