Skip to content

LogMan.io Alerts configuration

LogMan.io Alerts requires following dependencies:

  • Apache ZooKeeper
  • NGINX (for production deployments)
  • Apache Kafka
  • MongoDB
  • ElasticSearch
  • SeaCat Auth
  • LogMan.io Library with an /Alerts folder and a schema in the /Schemas folder

Example

This is the minimalistic example of the configuration of LogMan.io Alerts:

[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181

[library]
providers=zk://zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181/lmio/library.lib

[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092

[elasticsearch]
url=http://es01:9200/

[asab:storage]
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0

[auth]
multitenancy=yes
public_keys_url=http://localhost:8081/openidconnect/public_keys

Zookeeper

Specify locations of the Zookeeper server in the cluster.

[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181

Hint

For non-production deployments, the use of a single Zookeeper server is possible.

Library

Specify the path(s) to the library from which to load declarations.

[library]
providers=zk://zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181/lmio/library.lib

Hint

Since ECS.yaml schema in /Schemas is utilized by default, consider using the LogMan.io Common Library.

Kafka

Specify bootstrap servers of the Kafka cluster.

[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092

Hint

For non-production deployments, the use of a single Kafka server is possible.

ElasticSearch

Specify URLs of ElasticSearch master nodes.

ElasticSearch is utilized to load events associated with a ticket.

[elasticsearch]
url=http://es01:9200/
username=MYUSERNAME
password=MYPASSWORD

MongoDB

Specify the URL of the MongoDB cluster with replica set.

MongoDB is used to store the tickets to.

[asab:storage]
type=mongodb
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0

Auth

The Auth section ensures that users can access only their own assigned tenants to set up alerts, supporting multitenancy.

It also checks for the resources mentioned in alert/incident workflow declaration.

[auth]
multitenancy=yes
public_keys_url=http://localhost:8081/openidconnect/public_keys

Input

Alerts contain a Kafka interface that reads incoming alerts from the lmio-alerts topic. The topic name or the group ID can be changed using:

[pipeline:TicketPipeline:KafkaSource]
topic=lmio-alerts
group_id=lmio-alerts

Note

Changing the input topic for alerts is discouraged.

Output for event trigger

[pipeline:OutputPipeline:KafkaSink]
topic=lmio-events-complex

Warning

The event trigger should not be used in alert's workflow declarations. Use notifications instead.

Worfklow

The location of workflows for alerts and incidents is always /Alerts/Workflow.

Web APIs

Alerts provides one web API.

The Web API is designed for the communication with the UI.

[web]
listen=0.0.0.0 8953

The default port of the public web API is tcp/8953.

This port is designed to serve as the NGINX upstream for connections from collectors.