I would like to make a rule to email or preform another action for the event that a node is in a disconnected status, but lem is getting logs with the machine name of that node in the log.
I have been looking but have not found a thread talking about this. If there is one already, please point me to it.
The reason I am looking for this is we had a situation where a PC that has the lem agent installed was altered and the lem agent was disconnected and stopped sending logs to lem. The PC continued to operate normally and the lem agent service is running and configured correctly but no logs. Lem did get logs from other systems that interacted with that computer, for example, fileaudit events.
Its not an unusual event for PC’s to be offline when not in use so monitoring disconnected nodes would not help.
My hopes are to setup some sort of “catch” that when log traffic gets to lem of a device that does not have an active node, to have a rule that kicks off to notify of it.
Any ideas of how to do this or a better way altogether? Im open to other concepts and im sure someone else has already invented a better mouse trap for this.
Thanks for your time.