remote agent heart beat

Follow
Avatar
vivek balachandran

how to monitor if remote agent is sending data to log collector, basically we need to alert if the system is not sending any log to sumologic for 24 hours.

i have ESXi server and configured syslog server as sumo logic log collector, so now i would like to trigger an alert if the host not send any data to sumo for certian time

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Kevin Sumo

    Hi Vivek,

    I think the query in the following documentation page may be what you are looking for. 

    https://help.sumologic.com/Manage/Ingestion-and-Volume/Monitor-Ingestion-and-Receive-Alerts#Data_not_sent_alert

    N    ote you'll need to have the Volume Index enabled within your account for this query to work. 

    _index=sumologic_volume sizeInBytes _sourceCategory="collector_volume" 
    | parse regex "\"(?<collector>(?:[^\"]+)|(?:\"\"))\"\:{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi 
    | first(_messagetime) as MostRecent, sum(bytes) as TotalVolumeBytes by collector 
    | formatDate(fromMillis(MostRecent),"yyyy/MM/dd HH:mm:ss") as MostRecentTime 
    | toMillis(now()) as currentTime 
    | formatDate(fromMillis(currentTime),"yyyy/MM/dd HH:mm:ss") as SearchTime 
    | (currentTime-MostRecent) / 1000 / 60 as mins_since_last_logs 
    | where mins_since_last_logs >= 60 
    | fields -mostrecent, currenttime 
    | format ("%s Has not collected data in the past 60 minutes", collector) as message

    This query will help alert if you have received no data within your account for 24 hour period. You can modify the query to look for only a specific Collector if that is what you require. Here is another example with the additional line highlighted. Just place the name of your Collector in this linea nd this should only return based on that Collector name. 

    _index=sumologic_volume sizeInBytes _sourceCategory="collector_volume" 
    | parse regex "\"(?<collector>(?:[^\"]+)|(?:\"\"))\"\:{\"sizeInBytes\"\:(?<bytes>\d+),\"count\"\:(?<count>\d+)\}" multi 
    | where collector="CollectorName"
    | first(_messagetime) as MostRecent, sum(bytes) as TotalVolumeBytes by collector 
    | formatDate(fromMillis(MostRecent),"yyyy/MM/dd HH:mm:ss") as MostRecentTime 
    | toMillis(now()) as currentTime 
    | formatDate(fromMillis(currentTime),"yyyy/MM/dd HH:mm:ss") as SearchTime 
    | (currentTime-MostRecent) / 1000 / 60 as mins_since_last_logs 
    | where mins_since_last_logs >= 60 
    | fields -mostrecent, currenttime 
    | format ("%s Has not collected data in the past 60 minutes", collector) as message

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post