Monitor

There is a monitor that will create an alert, if you go to rules tab, monitor, system, there are 2 default. One for asset creation and one for monitoring activity.

You set the timeout parameters, I believe it is 400s by default. Note, this will only works for agent/collector/sensor, but not for a node like a syslog device stopping sending event.

Thx Laurent-c.
My environment contains 50% of the nodes reporting through syslog (agentless ciscos, some production unixes).
Is there anyway to monitor their "aliveness" using SIM rules? 
Regards.

If you are running 4.7 there is a new type of rule called "X not followed by X"

An example is a system rule called potential Agent Malfunction.

This should be able to monitor the list of IP you need. I will try to see if I can find a good example.

It works, I have ran a few test, I need to review the rule but it seems to be doing the job you are looking for. Once I finalise I will post a KB.

lovely.
thank you for your help and waiting for a KB.

I have the KB nearly ready, but it won't be puplished yet so here is an extract, keep it mind it works well in my environment, the rule is only a example and will need to be tweakd to suit your need.

How to use this rule type to monitor missing host

and

 Note: This rule might need to be changed depending of the point product you are collecting from. In the case of UNIX, PIX and Snare Collector, the Logging Device Name is the name of the Appliance forwarding. Depending of the product you want to use, you might need to change this value to match the field you are looking for.

I have not able to attach a exported rule to this forum, but the 2 screenshots should give you a guideline.

Article is TECH139302 (When this will be public)