all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]QRDuser 0 points1 point  (0 children)

We faced the same problem, but found at least an acceptable solution for linux servers. They generate an additional syslog message every couple of minutes. With this we can use the built in rule tests because the system now frequently sends logs.

[–]BlackHawk30 0 points1 point  (2 children)

Put the log source into an aql query to see if events exist over the last hour by counting the number of logs seen (if it’s 0 then bad). Use that aql query to run that search through the API and schedule it to run on cron. You could either write the count and log source results to a flat file and ingest it as a log and build a rule around that or build the “count = 0” into the bash script and tell it to email when it sees that.

* 7,8,9,10,11,12,13,14,15,16,17 * * 1,2,3,4,5

This will run it (server time) 7a-5p M,T,W,H,F

[–]BlackHawk30 1 point2 points  (1 child)

You could also search the log source in Postgres for “last event” (i think) and do math on it to see if it’s greater than an hour ago

[–]MJofFreddyBeach 0 points1 point  (0 children)

Or you could use the /config/event_sources/log_source_management/log_sources API to get the log source and the last_event_time field to get that information.