Hi @tulgabatm,
to have an overview of perimeter health status, you have at first to create a lookup containing all the systems to monitor in your perimeter (called e.g. perimeter.csv), in this lookup there must be at least one column (called e.g. host), but it can contain also other informations to enrich your results.
Then you have to run a search like this:
| metasearch index=_internal OR index=*
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv host | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
Some clarifications:
- you can use
| metasearch so you have a faster search;
- In this search:
total=0 means that you haven't logs from a target;
- if you have only servers with Universal Forwarders (without syslogs or other inputs), you can use only
index=_internal (without index=*) so you'll have a faster search;
- if you have only servers with Universal Forwarders, you're sure that you have a correct check also when you haven't any log to receive because you always have the UF logs;
- if you also have syslogs or HEC, in other words logs without UF, you have the problem that you could have a false positive alarm because you aren't receiving logs because there isn't any log to receive, so (if possible) try to create an heartbeat;
- Using this search (without the last row) you can also have an overview of your infrastructure that you can also display in graphic mode.
Ciao.
Giuseppe
