I'm struggling to figure out a way to build this as a query and subsequently as an alert. My previous post is involved in this issue. The problem I'm trying to address here is when a host or hosts stop sending logs to Log Insight for one reason or another. The reasons could be various including failure of the agent or syslog daemon, firewall definitions change and block communication, etc. For certain critical infrastructure pieces where log data is the only stateful data that needs to be preserved, having logs are immensely important. For other systems, having logs are similarly important when it comes to troubleshooting and postmortem analysis. The goal here is to build a query/alert that detects when one or multiple hosts stop sending logs to vRLI and then to pass that alert over to vROps associating it with the object which has stopped logging. This could be an ESXi host, vCenter, switch, or VM that has the vRLI agent installed. Creating a 1:1 mapping between host and alert is a simple thing, however this does not scale well and is a maintenance nightmare. Logically, I'd like to create a user-defined tag with a certain value, apply that key-value pair to an agent definition, and build a query/alert that understands for any system that contains that tag to alert when it does not see any logs for a given time period. So far, I'm not finding a way to make this happen other than to create an alert for each and every system that should be "watched". I welcome any thoughts or ideas on how to accomplish this goal.
↧