As we all know in the Event Source Management (Live View) screen, every
device has a "configured status" and an "actual status". I discovered
that at times, the configured status is set to ON however the actual
status changes itself to OFF.

This can either happen if there is network connectivity issues with
collector manager or otherwise. The only way to recover is to restart
sentinel on the affected collector manager. Happy with the fix however
I can't see anyway to generate alerts to trigger a correlation rule
should the two status mismatch.

I searched into the Internal logs but if Sentinel is not stopped, I
don't get an error. Any help to identify this situation quicker is much


