22. 12. 2023 Juergen Vigna Log-SIEM, NetEye, Unified Monitoring

SIEM: Monitor Hosts Sending Data to Elasticsearch

Do you have a SIEM installation based on Elasticsearch (like the NetEye 4 SIEM Module) and are you sending data to it from your hosts? Then you’ll surely want to know whether your host is actually sending data, or if nothing is coming out at all. For this I made available a simple icinga/nagios plugin to check if data based on your search parameters is located within an Elasticsearch Index.

You can download the plugin from my GIT Plugins Repository: https://raw.githubusercontent.com/WuerthPhoenix/JUVI-NetEye-Monitoring-Plugins/main/check_elasticsearch_query

# /neteye/shared/monitoring/plugins/check_elasticsearch_query --help
Check a count of number of events fount in elasticsearch over a query and timeframe
Usage:  [-H <host>] [-p <port>] -q <query> [-t <timeframe>] [-w <count>] [-c <count>] [-L]
  -h, --help    : this help
  -V, --version : program version
  -H, --host    : host/address of elasticsearch (default: elasticsearch.neteyelocal)
  -p, --port    : tcp port of elasticsearch (default: 9200)
  -i, --index   : elasticsearch index name (default: logstash-*)
  -q, --query   : elasticsearch query string
  -t, --time    : timeframe for search from now back f.ex. 1h or 1d (default: 1h)
  -w, --warning : warning count  (default: not checked)
  -c, --critical: critical count (default: not checked)
  -L, --checkforless: check critical/warning for <= instead for >= which is the default
  -C, --curlcmd : The CURL command to use to connect to elasticsearch (default: /usr/share/neteye/elasticsearch/scripts/es_curl.sh)
                  f.ex.: /usr/bin/curl -E 'ES_CERT_PEM' --key 'ES_CERT_KEY'

check_elasticsearch_query -  - Copyright Juergen Vigna - Wuerth Phoenix srl.

This Monitoring plugin comes with no warranty. You can use and distribute it
under terms of the GNU General Public License Version 2 (GPL V2) or later.

As you can see from the above help, the default parameters are set so that they work on a NetEye SIEM installation, otherwise you’ll have to change the parameters for your ELK installation. An important note is that the -q parameter for the query is just a filter, so you can use for instance host.name: $host.name$ in your Icinga configuration.

Another important thing is that you may check if there are too many or too few entries for this host using the -L flag.

Icinga Service View

The above image shows a typical usage of this plugin to check if a host is still writing data to your Elasticsearch Database using the filter host.name: $host.name. Obviously if the host is not sending data permanently you’ll have to set the Time filter too so that you can be sure it will write data at least once a day (you can change it later to once a day).

Make your SIEM installation more stable using this approach.

These Solutions are Engineered by Humans

Did you find this article interesting? Does it match your skill set? Our customers often present us with problems that need customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.

Juergen Vigna

Juergen Vigna

NetEye Solution Architect at Würth IT Italy
I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix (now Würth IT Italy). Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Author

Juergen Vigna

I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix (now Würth IT Italy). Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Latest posts by Juergen Vigna

09. 04. 2026 NetEye
Migrating your NetEye Server to New Hardware (Part 1)
15. 12. 2025 Icinga Web 2, NetEye, Unified Monitoring
Monitoring Your NetApp S3 Object Storage
16. 10. 2025 NetEye, Unified Monitoring
Control the Update Status of Your NagVis Maps
22. 05. 2025 NetEye, Unified Monitoring
Automatic Integration of NagVis Map into Icinga Web 2/NetEye Monitoring
24. 01. 2025 ITOA, NetEye, Unified Monitoring
Monitoring NetApp Storage Devices over a RESTful API
See All

Related Content

Tags: , , , ,

02. 04. 2026 NetEye, Unified Monitoring

Monitoring Ollama in NetEye with ollama-metrics and check_prometheus

Running Ollama locally or on dedicated hardware is straightforward until you need to know whether a model is actually loaded in RAM, how fast it generates tokens under load, or when memory consumption reaches a threshold that affects other workloads. Read More
31. 03. 2026 NetEye

Automating Icinga 2 Agent Builds for IBM Power (ppc64le)

Not long ago, I received an interesting request from one of our client’s Unix teams: They wanted a URL where the latest version of the Icinga 2 agent is always available. An important requirement was that this version should stay Read More
30. 03. 2026 APM, Log Management, Log-SIEM, NetEye

Sending OTel Data to Elasticsearch: Tenant Segregation through OAuth

Hi everyone! Today I'd like to share with you an investigation we undertook related to ingesting Open Telemetry data in Elasticsearch, while maintaining tenant segregation from start to end. The Scenario Let's imagine we have multiple customers, where in this Read More
30. 03. 2026 NetEye, Unified Monitoring

SNMP and Non-connected Interfaces

SNMP monitoring is the standard method for obtaining information and metrics from network devices. Typically, we focus on extracting data from a single interface to monitor its status, traffic, or errors. But in many cases, we’re only interested in getting Read More
30. 03. 2026 Bug Fixes, NetEye

Bug Fixes for NetEye 4.46

In the ITOA module we fixed a bug that prevented the Performance Graphs to be shown in the Monitoring host and service page. List of updated packages grafana, grafana-autosetup, grafana-configurator and grafana-neteye-config to version 12.4.1_neteye3.29.2-1

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive