You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -17,21 +15,32 @@ navigation_title: Built-in alerts and templates
17
15
When you install or upgrade {{agent}}, new alert rules are created automatically. You can configure and customize out-of-the-box alerts to get them up and running quickly.
18
16
19
17
::::{note}
20
-
The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place before you install or upgrade {{agent}} before this feature is available.
18
+
The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place _before_ you install or upgrade {{agent}} for the alert rules to be available.
21
19
22
-
Refer [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information.
20
+
Refer to [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information.
23
21
::::
24
22
25
23
In {{kib}}, you can enable out-of-the-box rules pre-configured with reasonable defaults to provide immediate value for managing agents.
26
-
You can use [ES|QL](/explore-analyze/discover/try-esql.md) to author conditions for each rule.
27
-
28
-
Connectors are not added to rules automatically, but you can attach a connector to route alerts to your platform of choice -- Slack or email, for example.
29
-
In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents
24
+
You can use [{{esql}}](/explore-analyze/discover/try-esql.md) to author conditions for each rule.
30
25
31
26
You can find these rules in **Stack Management** > **Alerts and Insights** > **Rules**.
32
27
28
+
### Available rules [available-alert-rules]
29
+
30
+
| Alert | Description |
31
+
| -------- | -------- |
32
+
|[Elastic Agent] CPU usage spike| Checks if {{agent}} or any of its processes were pegged at a high CPU for a specified window of time. This could signal a bug in an application and warrant further investigation.<br> - Condition: `system.process.cpu.total.time.ms` > 80% for 5 minutes<br>- Default: Enabled |
33
+
|[Elastic Agent] Dropped events | Checks if percentage of events dropped to acked events from the pipeline are greater than or equal to 5%. Rows are distinct by agent id and component id. |
34
+
|[Elastic Agent] Excessive memory usage| Checks if {{agent}} or any of its processes have a high memory usage or memory usage that is trending higher. This could signal a memory leak in an application and warrant further investigation.<br>- Condition: Alert on system.process.memory.rss.pct > 80%<br>- Default: Enabled (perhaps the threshold should be higher if this is on by default) |
35
+
|[Elastic Agent] Excessive restarts| Checks if excessive restarts on a host which require further investigation. Some of these restarts could have a business impact and getting an alert for them would allow us to act quickly to mitigate.<br>- Condition: Alert on (not sure) > 10 times in a 5 minute window<br>- Default: Enabled |
36
+
|[Elastic Agent] High pipeline queue | Checks if max of `beat.stats.libbeat.pipeline.queue.filled.pct` exceeds 90%. Rows are distinct by agent id and component id. |
37
+
|[Elastic Agent] Output errors | Checks if the errors per minute from an agent component is greater than 5. Rows are distinct by agent id and component id. |
38
+
|[Elastic Agent] Unhealthy status | Checks for log occurrence of an agent status change to "error" using the new elastic_agent.status_change datastreams. |
39
+
40
+
Connectors are not added to rules automatically, but you can attach a connector to route alerts to your Slack, email, or other notification platforms.
41
+
In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents.
33
42
34
-
## Alert templates assets for integrations [alert-templates]
43
+
## Alert template assets for integrations [alert-templates]
35
44
36
45
Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine tune.
After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [Index lifecycle management](/reference/fleet/data-streams.md#data-streams-ilm) to learn more.
49
+
After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [{{ilm-cap}}](/reference/fleet/data-streams.md#data-streams-ilm) to learn more.
0 commit comments