Add agent status alert rules

MichelLosier · MichelLosier · commit ecb6075b2a4b · 2025-11-03T14:18:53.000-08:00
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-offline-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-offline-status.json
@@ -0,0 +1,34 @@
+{
+  "id": "elastic-agent-offline-status",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[Elastic Agent] Offline status",
+    "tags": ["Elastic Agent"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "1m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "threshold": [0],
+      "thresholdComparator": ">",
+      "size": 100,
+      "esqlQuery": {
+        "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"offline\""
+      },
+      "aggType": "count",
+      "groupBy": "row",
+      "termSize": 5,
+      "sourceFields": [],
+      "timeField": "@timestamp",
+      "excludeHitsFromPreviousRun": true
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unenrolled-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unenrolled-status.json
@@ -0,0 +1,34 @@
+{
+  "id": "elastic-agent-unenrolled-status",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[Elastic Agent] Unenrolled status",
+    "tags": ["Elastic Agent"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "1m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "threshold": [0],
+      "thresholdComparator": ">",
+      "size": 100,
+      "esqlQuery": {
+        "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"unenrolled\""
+      },
+      "aggType": "count",
+      "groupBy": "row",
+      "termSize": 5,
+      "sourceFields": [],
+      "timeField": "@timestamp",
+      "excludeHitsFromPreviousRun": true
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unhealthy-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-unhealthy-status.json
@@ -16,7 +16,7 @@
       "thresholdComparator": ">",
       "size": 100,
       "esqlQuery": {
-        "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and status in (\"error\", \"degraded\")"
+        "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"unhealthy\""
       },
       "aggType": "count",
       "groupBy": "row",
diff --git a/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-uninstalled-status.json b/packages/elastic_agent/kibana/alerting_rule_template/elastic-agent-uninstalled-status.json
@@ -0,0 +1,34 @@
+{
+  "id": "elastic-agent-uninstalled-status",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[Elastic Agent] Uninstalled status",
+    "tags": ["Elastic Agent"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "1m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 5,
+      "timeWindowUnit": "m",
+      "threshold": [0],
+      "thresholdComparator": ">",
+      "size": 100,
+      "esqlQuery": {
+        "esql": "FROM logs-elastic_agent.status_change-default, *:logs-elastic_agent.status_change-default\n| WHERE data_stream.dataset == \"elastic_agent.status_change\" and agentless == false and health_status == \"uninstalled\""
+      },
+      "aggType": "count",
+      "groupBy": "row",
+      "termSize": 5,
+      "sourceFields": [],
+      "timeField": "@timestamp",
+      "excludeHitsFromPreviousRun": true
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}
