Merge pull request #15009 from Security-Onion-Solutions/reyesj2/ea-alerter

so-elastic-agent-monitor
2025-12-06 01:02:46 +01:00 · 2025-09-09 17:00:39 -05:00
parent d9e86c15bc 29980ea958
commit 0aa556e375
2 changed files with 6 additions and 1 deletions
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json
@@ -19,7 +19,7 @@
          "enabled": true,
          "vars": {
            "paths": [
-              "/opt/so/log/agents/agent-monitor-*.log"
+              "/opt/so/log/agents/agent-monitor.log"
            ],
            "data_stream.dataset": "agent-monitor",
            "pipeline": "elasticagent.monitor",
--- a/salt/manager/tools/sbin_jinja/so-elastic-agent-monitor
+++ b/salt/manager/tools/sbin_jinja/so-elastic-agent-monitor
@@ -145,6 +145,11 @@ main() {

                offline_hours=$(calculate_offline_hours "$last_checkin")

+                if [ "$offline_hours" -lt "$OFFLINE_THRESHOLD_HOURS" ]; then
+                    log_message "INFO" "${agent_hostname^^} has been offline for ${offline_hours}h (threshold: ${OFFLINE_THRESHOLD_HOURS}h). Not logging ${agent_status^^} agent until it reaches threshold"
+                    continue
+                fi
+
                log_entry=$(echo 'null' | jq -c \
                    --arg ts "$current_timestamp" \
                    --arg id "$agent_id" \