Detecting devices not sending logs

Hi,

have you tried this variant?

| chart count() by device_name | filter 'count()'=0

It *should* cover the case of multiple IPs

For O365 I have not been able to test but you could try

col_type=*o365 | chart count() by col_type | filter 'count()'=0

Regards,

Henrik

Thanks Henrik! Will give it a try.

I managed to get an extra asterisk in there, use this instead:

col_type=o365 | chart count() by col_type | filter 'count()'=0

Actually, since we are filtering on the collection type for Office365 we could probably simplify it further:

col_type=o365 | chart count() | filter 'count()'=0

This query really only makes sense in an alert rule :-)

/Henrik

Thanks

Thanks!

Can you validate this with a screendump? When changing to using the device_name in the search, we get no results returned. But when using the original search with device_ip, we get results from several nodes which we are not receiving logs from.

Hi,

I do not understand, how the search will check against the list of all configured devices in Logpoint ?

Can anybody explain it for me?

Thanks

Roland

Hi Roland

This is a feature:
To accommodate the special case of device not sending logs, the query for getting logs count from device IPs is treated differently and would be instantiated with all the applicable registered devices initialized with count zero.  It is initialized in the indexsearcher service which computes all the device IPs that can send to that particular repository within the user’s permission.

After initialization, rest of the computation would be similar to any other queries.

Besides this there is also the simple use case to check if any logs are received in the Repo, this can be achieved by configuring an alert rule with the following parameters:
Query : | chart count()
Condition : less than “1”
Repo selection : select only 1 repo.

/Nicolai

Hi,

For a Use case where you want to alert on multiple repos at once, you can use this solution:

1. Create a Dynamic List which will be populated with the field value “repo_name” from all repositories you want to monitor
2. Make a CSV file containing the field value “repo_name” followed by the names of the repos you want to monitor
3. Make an alert that populates the Dynamic list with repositories that are receiving logs
   Query: | chart count() as cnt by repo_name | filter cnt > 0 | process toList(DLIST_REPO, repo_name)
4. Make an alert that compares the Dynamic list and the Dynamic Table and fires when a repo_name is missing in the Dynamic List compared to the Dynamic Table.
   Query: table "Dynamic_Table_enrichment_repo" | search -repo_name in DLIST_REPO | chart count() by repo_name

Other than that there is also a Vendor Rule to alert on a single repo not receiving logs for half an hour.
Vendor Rule: LP_Default Device Stopped Sending Logs for Half an Hour

/Gustav

We see exactly the same problem.

It would be great to have search query which also respects the case when a device has multiple IPs (e.g. for fallback) and sends logs from at least one IP.

Just added an idea for this:

https://logpoint.ideas.aha.io/ideas/LP-I-211

Feel free to give it a vote!

Hey I know this Topic is a bit older.
you say on the Bottom there that, the LP_Defaul Device Stopped Sending Logs Rule, could only be used for a Single Repo not Receiving Logs, but could you not just Edit the Rule to be using, Multiple or even all Repos Technically?