---
title: Elastic Agent built-in alerts
description: When you install or upgrade Elastic Agent, new alert rules are created automatically. You can configure and customize out-of-the-box alerts to get them...
url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/fleet/alert-templates
products:
  - Elastic Agent
  - Fleet
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available since 9.2
---

# Elastic Agent built-in alerts
## Elastic Agent out-of-the-box alert rules

When you install or upgrade Elastic Agent, new alert rules are created automatically. You can configure and customize out-of-the-box alerts to get them up and running quickly.
<note>
  The built-in alerts feature for Elastic Agent is available only for some subscription levels. The license (or a trial license) must be in place _before_ you install or upgrade Elastic Agent for the alert rules to be available.Refer to [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information.
</note>

In Kibana, you can enable out-of-the-box rules pre-configured with reasonable defaults to provide immediate value for managing agents.
You can use [ES|QL](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/discover/try-esql) to author conditions for each rule.
Search for **Alerts and Insights** to find available **Rules**.
If you don't see out-of-the-box alert rules, check your [Elastic subscriptions](https://www.elastic.co/subscription).

### Available alert rules


| Alert                                  | Description                                                                                                                                                                                                                                                                          |
|----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Elastic Agent] CPU usage spike        | Checks if the agent or any of its processes were pegged at a high CPU for a specified window of time. This could signal a bug in an application and warrant further investigation. - Condition: Alert on `system.process.cpu.total.norm.pct` of 80% or more- Default: Disabled       |
| [Elastic Agent] Dropped events         | Checks ratio of dropped events to acknowledged events. Rows are distinguished by agent ID and component ID.  - Condition: Alert on ratio of dropped events to acknowledged events of 5% or more- Default: Disabled                                                                   |
| [Elastic Agent] Excessive memory usage | Checks if the agent or any of its processes have a high memory usage or memory usage that is trending up. This could signal a memory leak in an application and warrant further investigation.- Condition: Alert on `system.process.memory.rss.pct` exceeding 50%- Default: Disabled |
| [Elastic Agent] Excessive restarts     | Checks for excessive restarts on a host. Some restarts can have a business impact, and getting alerts for them can enable timely mitigation.- Condition: Alert on 11 or more restarts in a 5-minute window- Default: Disabled                                                        |
| [Elastic Agent] High pipeline queue    | Checks percentage of pipeline queue. Rows are distinguished by agent ID and component ID.  - Condition: Alert on max of `beat.stats.libbeat.pipeline.queue.filled.pct` exceeding 90%  - Default: Disabled                                                                            |
| [Elastic Agent] Offline status         | Checks for any agents that are offline.  - Condition: Alert when agent has been offline for longer than the time set in `inactivity timeout` - Default: Disabled                                                                                                                     |
| [Elastic Agent] Output errors          | Checks errors per minute from an agent component. Rows are distinguished by agent ID and component ID.  - Condition: Alert on 6 or more errors per minute  - Default: Disabled                                                                                                       |
| [Elastic Agent] Unenrolled status      | Checks for agents that have been manually unenrolled.  - Condition: Alert on agent that has been removed from Fleet and whose API keys have been revoked - Default: Disabled                                                                                                         |
| [Elastic Agent] Unhealthy status       | Checks agent status. An `unhealthy` status can indicate errors or degraded functionality of the agent.  - Condition: Alert on `unhealthy` status - Default: Disabled                                                                                                                 |
| [Elastic Agent] Uninstalled status     | Checks for agents that have been uninstalled.  - Condition: Alert when agents have been uninstalled and removed from the host system - Default: Disabled                                                                                                                             |

**Connectors** are not added to rules automatically, but you can attach a connector to route alerts to your Slack, email, or other notification platforms.
In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents.