This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Broker-VM disconnet alert notification

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Broker-VM disconnet alert notification

PA_nts
L4 Transporter

‎05-19-2025 11:48 PM

Hi All,

 

anyi dea how i can generate an alert when a broker-vm gets disconnected?

 

Has anyone managed to create a correlation rule that will alert if a Broker-VM gets disconnected from XSIAM?

the xsiam documentation states that 'To help you monitor your Broker VM version, connectivity, and high availability clusters, Cortex XSIAM sends notifications to your Cortex XSIAM console Notification Center' but this does not help me much. 

Additionally you can setup email notification but i don't want that.. instead we have an integration to a backend helpdesk ticket system, so that when an alert is created in xsiam, it sends the incident/alert payload and it then generates a ticket on our backend helpdesk and engineers will be assigned.

we use this currently for datasources and ngfw devices that stops sending logs.

thanks in adv

0 Likes Likes
3 REPLIES 3

PA_nts
L4 Transporter

‎05-20-2025 01:36 AM

To Add..

If i create a xql query as per below.. it shows me the applets within the broker-vm if they are in an ERROR state

note i did this as case sensitive to filter out unwanted error alerts from other datasources.. i am specifically looking for 'broker-vm' issues.

 

config case_sensitive = true |
dataset = collection_auditing
| filter classification = "ERROR"
| comp latest(_time) by collector_type , instance , classification ,description, _broker_ip_address, _broker_device_name, _broker_device_id

 

however.. this will not alert if the broker-vm is disconnected. so still working on that portion.

cheers

 

0 Likes Likes

Vinay-AS
L1 Bithead

‎05-30-2025 09:15 AM

Hello,

 

You can identify disconnected Broker VMs by creating a correlation rule with the following query.

 

dataset = management_auditing
| filter description contains "Broker VM"
| filter subtype = "Disconnect"

 

Confirm if this works as expected.

 

Regards,

Vinay

 

 

 

0 Likes Likes

PA_nts
L4 Transporter

‎06-05-2025 12:07 AM

Hi Vinay

thanks.. yes I have tried that also.. however I find it is not very efficient.. ie when a broker vm gets disconnected.. it can take some time for this correlation rule to pick this up.. i guess the disconnect only gets updated in the audit logs once the timeout threshold has been received. so in this case.. both queries seems give me the same result.

was hoping for something with less time delay.. but can work with it as is.

 

thanks

 

0 Likes Likes
  • 672 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks