Reporting on Log Sources not Sending Data
complete
Nate O'Brien
complete
We now support creating escalations when a log source stops reporting in. The KB for the capability can be found here:
https://support.huntress.io/hc/en-us/articles/42917517950995-Non-Reporting-Log-Source-Escalations
Joshua Kho
We need this feature refined to control which specific endpoint logs should have this functionality enabled as this comes like a spam having this online.
D
Dru DuBay
Just came here to add another comment that this is great, but not working as it should for computers. Machines that are offline, or intentionally shut down should not be reported on.
If Huntress has the machine checking in, but not reporting then fine. But if Huntress shows the machine last checking in 1 hour ago, I don't want an alert that the SEIM hasn't seen something in 8 hours.
P
Pat DiPersia
Definitely need granularity here. Would be great to have filtering in a way that we don't have to regularly exclude machines. For example, filter out all Windows machines that aren't servers. PLEASE don't just give us a checkbox next to machines to turn this off, won't be useful if so.
K
Karen Johnson
I turned this on and it sent me alerts for 510 sources! The vast majority of these are simply desktops that are offline. I agree that this needs granularity. I would like alerted primarily on firewall sources and generic syslog collectors that stop collecting. Desktop Windows logs are not ones that we would typically be concerned with if they stopped reporting for a period of time.
P
Phill Wade
I just saw and enabled this feature described here - https://www.loom.com/share/bb513c54b0f24b80b8f89cdd8a16fef8?sid=8fae95ce-38c2-459d-ae74-b5de054e2a55
This created escalations for Windows devices that were just turned off overnight. Can we have some functionality added where we can specify which data sources are reported on? For Windows, it would also be able to filter to desktop vs server.
Chris Bisnett
in progress
We've built out the logic to identify when data sources stop sending data where we expect there to be data. We're testing this internally so that we don't turn it on and flood folks with false positives. This should be enabled for everyone in the next few weeks.
J
Jacob Wiley
Chris Bisnett we enabled the feature and we're getting blown up with alerts because laptops are offline. Support says this is intended and we need to open a feature request. Is that true?
Nate O'Brien
Hi Jacob Wiley - I've found your support ticket and will work with you through there. We've developed this capability to be as minimally invasive as possible - specifically, workstations that go offline for at least an hour a week should never trigger escalations.
Here is the KB for this feature:
J
Jacob Wiley
Thanks Nate O'Brien !
D
Dru DuBay
Nate O'Brien Hey Nate, I don't understand how the spam issue has changed or been fixed with this feature, I've read fully through the updated KB at least twice. What these reports are primarily doing ATM is telling me that a Windows machine is offline, which doesn't really matter, my RMM can alert me on, and not something we want in Huntress, which otherwise only alerts us for things that actually matter. Your Huntress alert should only create escalations for machines you see online but not reporting to the SIEM. Otherwise, this is not about "Non-Reporting Log Source Escalations", it's really about creating escalations for Huntress agents that aren't online. This or course doesn't apply to non-agent sources, but the spam is coming from agent sources. So maybe we need separate alert options for "Endpoint Logs" sources, and everything else.
James Mason | SE @ Huntress
this quarter