How to detect if a host has stopped sending logs to SSB (4267196)

How to detect if a host has stopped sending logs to SSB

Message Rate Alerting can be configured so that an alert is sent if the number of logs being received from hosts by SSB either drops below or exceeds certain limits.

To configure message rate alerting

1. Navigate to SSB > Log > Sources
2. Choose which source requires monitoring
3. Enable Message rate alerting.
4. Select the counter to be measured:
   1. Messages: Number of messages
   2. Messages/sender: Number of messages per sender (the last hop)
   3. Messages/hostname: Number of messages per host (based on the hostname in the message)
5. Select the time period (between 5 minutes and 24 hours) during which the range is to be measured.
6. Enter the range that is considered normal in the Minimum and Maximum fields.
7. Select the alerting frequency in the Alert field. Once sends only one alert (and after the problem is fixed, a "Fixed" message), Always sends an alert each time the result of the measurement falls outside the preset range.

For more detailed information please see the section “Configuring message rate alerting” in the admin guide.