Help Center Logpoint Docs Idea Portal Logpoint.com
Solved

Getting false alerts for inactive devices

  • 1 December 2021
  • 2 replies
  • 103 views
A
Userlevel 1
Badge

Hello,

 

to get noticed when a device is no longer sending logs i created an alert that uses this search query:

device_ip in DG_AKTIVE_GERAETE | chart count() by device_name,device_ip | search 'count()' = 0

(AKTIVE_GERAETE is a device group i put all the devices in that should be monitored).

 

The alert runs every two hours and nearly every day at the same time (1am) i get an alarm per email that one of our firewalls didn’t send logs. I am pretty sure that is a false positive.

 

However, when clicking of the link in the email, i indeed see a hit.

 

False alert

 

But when searching again by clicking on search, there isn’t a hit anymore.

 

 

Displaying all logs from this device for the last 24 hours also does not show any missing logs for this time

 

So, as i said, pretty sure it is a false positive.

 

The alert is always triggered for the same device and always for the same timeframe (23pm and 1am), so i was thinking that the LP wants me to somehow acknowledge it before stopping to trigger it. But i already marked and closed all incidents of the alarm at one point, but the next day the alarm was triggered again.

 

Here is the configuration of the alert:

 

 

Anybody got any ideas ? Am i missing something ? I know the next LP version will have the detection of inactive device “build in”, but i am curious what is going on here.

 

Andre

icon

Best answer by markus.nebel@8com.de 2 December 2021, 15:33

View original

2 replies

markus.nebel@8com.de
Userlevel 4
Badge +8

Hello @Andre Kurtz 

we are using the following query for this, and it seems to be stable:

| chart count() as CN by device_ip,device_name order by device_name asc| search CN=0 -(device_name in EXCLUDE_DEVICE_NAME_NOT_SENDING_LOGS) | fields device_ip, device_name

The list EXCLUDE_DEVICE_NAME_NOT_SENDING_LOGS contains the device_names of systems that are known to send logs very rarely (e.g. switches or clients). 

The alert has to run on all repos except the logpoint default repos.

Search time range is 1 days while defined search interval is 1439 minutes.

 

This works reliable for us.

A
Userlevel 1
Badge

Hi Markus,

 

thnaks for your answert and sorry for the late response, have been busy the last couple of weeks.

 

Lookin at your search query i do not see that big a difference from the one we are using. Using a time value of  1439 seems interesting, escpecially because i was thinking of changing it in the same way (subtracting 1 from the intervall the search query is running)

 

However, i was not aware that LP released 6.12.2 flex patch a couple of weeks ago. Installed it a few days after posting here and haven’t had a false alarm every since. Whether it was a bug in 6.12.0 or a reboot fixed the issue, i do not know.

 

Andre

Reply


Terms & ConditionsCookie settings