Skip to content

LogMan.io Alerts configuration

LogMan.io Alerts has the following dependencies:

  • Apache ZooKeeper
  • NGINX (for production deployments)
  • Apache Kafka
  • MongoDB
  • Elasticsearch
  • TeskaLabs SeaCat Auth
  • LogMan.io Library with an /Alerts folder and a schema in the /Schemas folder

Example

This example is the most basic configuration required for LogMan.io Alerts:

[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181

[library]
providers=zk:///library

[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092

[elasticsearch]
url=http://es01:9200/

[asab:storage]
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0

[auth]
multitenancy=yes
public_keys_url=http://localhost:8081/openidconnect/public_keys

Zookeeper

Specify locations of Zookeeper servers in the cluster.

[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181

Hint

For non-production deployments, the use of a single Zookeeper server is possible.

Library

Specify the path(s) to the Library from which to load declarations.

[library]
providers=zk:///library

Hint

Since the ECS.yaml schema in /Schemas is utilized by default, consider using the LogMan.io Common Library.

Kafka

Specify bootstrap servers of the Kafka cluster.

[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092

Hint

For non-production deployments, the use of a single Kafka server is possible.

ElasticSearch

Specify URLs of Elasticsearch master nodes.

Elasticsearch is used to load events associated with a ticket.

[elasticsearch]
url=http://es01:9200/
username=MYUSERNAME
password=MYPASSWORD

MongoDB

Specify the URL of the MongoDB cluster with replica set.

Tickets are stored to MongoDB.

[asab:storage]
type=mongodb
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0

Auth

The Auth section ensures that users can access only their own assigned tenants to set up alerts, supporting multitenancy.

It also checks for the resources mentioned in the alert/incident workflow declaration.

[auth]
multitenancy=yes
public_keys_url=http://localhost:8081/openidconnect/public_keys

Input

The Alerts microservice contains a Kafka interface that reads incoming alerts from the lmio-alerts topic. The topic name or the group ID can be changed using:

[pipeline:TicketPipeline:KafkaSource]
topic=lmio-alerts
group_id=lmio-alerts

Note

Changing the input topic for alerts is discouraged to avoid unnecessary complications.

Output for event trigger

[pipeline:OutputPipeline:KafkaSink]
topic=lmio-events-complex

Warning

The event trigger should not be used in any alert's workflow declarations. Use notifications instead.

Worfklow

The location of workflows for alerts and incidents is always /Alerts/Workflow.

Web APIs

Alerts provides one web API.

The web API is designed for communication with the UI.

[web]
listen=0.0.0.0 8953

The default port of the public web API is tcp/8953.

This port is designed to serve as the NGINX upstream for connections from collectors.