This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Broker Helath Checking

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Broker Helath Checking

M.Soares909225
L0 Member

‎12-10-2025 12:23 PM

Hello everyone!

 

I working in a environment that have some broker clusters and local brokers as well, I would like know how I can implement some way to have a daily health checking for these brokers, like if the broker is need a reboot to update, if I don't have any Gaps in receiving logs (for example the last logs received was one day ago) etc. and create a dashboard with that and also notify by e-mail.

1 person had this problem.
0 Likes Likes
2 REPLIES 2

amcdonal363
L1 Bithead

‎12-16-2025 11:34 AM

On your 3.x tenant, go to:  https://<tenant_url>/auditing (This brings you to the Management Audit Logs)

Note: There is no dataset dedicated to receiving any sort of events from the Broker VM itself.

 

The best practice would be the SIEM admin to check the https://<tenant_url>/configuration/broker-vms/brokers UI every Monday morning to see if an upgrade is available or a reboot is required to apply an update which is applied automatically.

 

For monitoring health of data ingestions, first ensure Data Ingestion Monitoring is enabled in https://<tenant_url>/configuration/general; then create correlation rules to monitor these ingestion metrics:

(1)

PA_nts
L4 Transporter

‎01-15-2026 12:18 AM

Bit late to the party.. but agree.. the default health checks in my opinion is not great..

we have correlation rules that will detect broker-vm applet errors and disconnects - when this happens it will generate an alert in the health domain and our guys are notified.

 

When a Broker-VM loses connectivity to the XSIAM tenant you can use the following query in a correlation rule:

 

dataset = saas_audit_logs  

| filter operation_name_orig = "BROKER_VM:Disconnect"

 

When a Broker-VM applet loses connectivity to one of the connectors/applets you can use the following query in a correlation rule:

 

config case_sensitive = true |
dataset = collection_auditing

| filter classification = "ERROR"
| comp latest(_time) by collector_type , instance , classification ,description, _broker_ip_address, _broker_device_name, _broker_device_id

 

the correlation rule you can define to what suits you best..

 

0 Likes Likes
  • 1434 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks