Many requests have come in for a dormant host alert in Log Insight. I am happy to announce that the feature is available in Log Insight 4.6. Read on to learn more!
What is a Dormant Host?
The request is as follows — If I have a host that is logging to Log Insight and then it stops logging to Log Insight for some period of time, then I would like to receive an alert. This means that any host that has logged to Log Insight and is no longer is considered a dormant host.
How to Configure Alert
Dormant host alerts are configured from the Hosts (/admin/hosts) page:
As you can see, there is an “Inactive hosts notification” checkbox that can be selected:
Upon selecting it, you will notice it defaults to alerting based on devices that have not logged in the last day. This can of course be adjusted as needed down to the last 10 minutes. Just like with event-based email alerts, you will notice that the time range of the inactive host notification dictates the frequency at which the alert is triggered (for last day it is every hour).
By default, if you enable inactive hosts notification then it applies to all hosts logging to Log Insight. You can choose the whitelist hosts with the whitelist checkbox:
If you select the “i” icon it will tell you it takes a comma-separated list of hosts. Note the host names provided must be complete. Partial and glob hostnames are not allowed at this time. Whitelisting is helpful for dynamic environments like dev/test or when you only care about certain hosts going offline.
Finally, you will notice after selecting the inactive host notification checkbox that next to the filter option you get a “show only inactive” checkbox:
As the name implies, if you select it then you will only see inactive hosts in the table.
IMPORTANT: You must hit save after enabling the “inactive host notification” checkbox before the “show only active” checkbox will do anything.
What do you get?
The notification is a system notification so it depends on what you have configured under the Alerts section of the General (/admin/general) page.
NOTE: The first time you enable this feature, you will receive an email with all currently dormant hosts.
A sample email looks like the following:
NOTE: It is not uncommon to see weird hostnames. Remember, LI follows the syslog RFC so whatever word is where the hostname should be will be treated as the hostname.
You asked, Log Insight listened! Now you know when hosts are no longer reporting to Log Insight. This is a really cool feature! What do you think?
© 2018, Steve Flanders. All rights reserved.