Hi @adilraad2001,

It is not possible to detect if a syslog client is online or not, since being only a syslog client it can be totally invisible to be seen by any tool. On the other hand wazuh-analysisd, the daemon in charge of processing events and generating alerts, only reacts to stimuli (events), i.e. it will only generate alerts from events that arrive to wazuh-manager and cannot generate alerts from “events that do not arrive”.

But there are workarounds that you could implement. For example, if your devices are ping enabled and from somewhere you have visibility of all of them, you can create a script to ping the list of devices, and when they do not respond send an event to wazuh-manager to generate an alert that the device is off or does not respond to the ping.
Another more complex alternative is to verify when was the last time that a device generated an alert, for example searching in opensearch through the API, and generate events when a certain time passes without generating alerts, although that does not mean that the device is offline.

We also have an issue related to this: #13856

Regards

I closed it because it had been inactive for more than 7 days. Please reopen it if necessary.