My Panther log source is not triggering drop-off alarms. How can I configure this?
To configure the drop-off alarm for your log source, follow the guide provided on this documentation page.
By default, the drop-off alarm is enabled for each log source and triggered if your log source has not received any log events within 24 hours. In this case, the drop-off alarm will not be triggered even if all events are filtered out and no events are processed.
Important Notes:
The alert is sent only once for a full period of inactivity starting from the last received event.
Marking an alert as "Resolved" does not reset the timer.
Receiving a new event resets the timer.
Example:
Set the drop-off alarm to 15 minutes.
If no events are received for 1 hour, the alert triggers once after the first 15-minute interval.
Reset the drop-off interval to 20 minutes.
If no events are still being received, a new alert is triggered once, based on the updated 20-minute interval.
If a new event arrives at any point, the timer automatically resets.
If another 20 minutes pass without events after the new event is received, a new alert will be sent.
A simple way to check whether an alert will be re-triggered is to visit the health page of the log source. If you see the "drop-off" error banner, it means the alert will not be triggered again unless it is reset.