Create a single alert which monitor lack of logs

59 views
Skip to first unread message

Tony Montana

unread,
Mar 25, 2025, 9:01:32 AM3/25/25
to Wazuh | Mailing List
Hi everyone,

Can I create an alert that will check each agent individually for missing logs every 2 minutes? Each server runs the who command every minute and I want an alert to be generated if at least one agent stops sending logs.

I tried the Group by function on the agent.name field, but it works only when no logs are sent from any agent (Screenshot). I also tried the DSL Query condition:

{
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "@timestamp": {
              "gte": "now-3m/m",
              "lte": "now/m"
            }
          }
        },
        {
          "exists": {
            "field": "@timestamp"
          }
        }
      ]
    }
  },
  "aggs": {
    "servers": {
      "terms": {
        "field": "agent.name", 
        "size": 1000
      },
      "aggs": {
        "missing_logs": {
          "missing": {
            "field": "@timestamp" 
          }
        }
      }
    }
  }
}

trigger conditions that I've tried:
return ctx.results[0].aggregations.metric.value == null ? false : ctx.results[0].aggregations.metric.value < 1;

and

return ctx.results[0].aggregations.servers.buckets.some(bucket => bucket.missing_logs.doc_count > 0);

But it doesn't work as well. 
I hope I've made myself clear.

Thanks in advance!
Screenshot 2025-03-25 at 14.18.12.png

Anthony Faruna

unread,
Mar 27, 2025, 8:51:30 PM3/27/25
to Wazuh | Mailing List
Hello,

Wazuh automatically generates an alert if an agent remains disconnected for more than 30 minutes. You can refer to this rule in the Wazuh ruleset:  (https://github.com/wazuh/wazuh-ruleset/blob/908c90b74b49ed04ee53b0367b55bb28e3c628ee/rules/0015-ossec_rules.xml#L41):

  <rule id="504" level="3">
    <if_sid>500</if_sid>
    <options>alert_by_email</options>
    <match>Agent disconnected</match>
    <description>Ossec agent disconnected.</description>
    <group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,</group>
  </rule>

This rule works by monitoring the periodic keep-alive messages sent by each agent to the manager. If these messages stop for a prolonged period (default is 30 minutes), Wazuh considers the agent disconnected.

However, to the best of my knowledge, Wazuh does not currently offer a built-in mechanism to check the last time a specific type of event or log source (e.g., who command logs) was received from an agent.

Best Regards
Reply all
Reply to author
Forward
0 new messages