LogMan.io Alerts configuration
LogMan.io Alerts requires following dependencies:
- Apache ZooKeeper
- NGINX (for production deployments)
- Apache Kafka
- MongoDB
- ElasticSearch
- SeaCat Auth
- LogMan.io Library with an
/Alerts
folder and a schema in the/Schemas
folder
Example
This is the minimalistic example of the configuration of LogMan.io Alerts:
[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181
[library]
providers=zk://zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181/lmio/library.lib
[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092
[elasticsearch]
url=http://es01:9200/
[asab:storage]
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0
[auth]
multitenancy=yes
public_keys_url=http://localhost:8081/openidconnect/public_keys
Zookeeper
Specify locations of the Zookeeper server in the cluster.
[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181
Hint
For non-production deployments, the use of a single Zookeeper server is possible.
Library
Specify the path(s) to the library from which to load declarations.
[library]
providers=zk://zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181/lmio/library.lib
Hint
Since ECS.yaml
schema in /Schemas
is utilized by default, consider using the LogMan.io Common Library.
Kafka
Specify bootstrap servers of the Kafka cluster.
[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092
Hint
For non-production deployments, the use of a single Kafka server is possible.
ElasticSearch
Specify URLs of ElasticSearch master nodes.
ElasticSearch is utilized to load events associated with a ticket.
[elasticsearch]
url=http://es01:9200/
username=MYUSERNAME
password=MYPASSWORD
MongoDB
Specify the URL of the MongoDB cluster with replica set.
MongoDB is used to store the tickets to.
[asab:storage]
type=mongodb
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0
Auth
The Auth section ensures that users can access only their own assigned tenants to set up alerts, supporting multitenancy.
It also checks for the resources mentioned in alert/incident workflow declaration.
[auth]
multitenancy=yes
public_keys_url=http://localhost:8081/openidconnect/public_keys
Input
Alerts contain a Kafka interface that reads incoming alerts from the lmio-alerts
topic. The topic name or the group ID can be changed using:
[pipeline:TicketPipeline:KafkaSource]
topic=lmio-alerts
group_id=lmio-alerts
Note
Changing the input topic for alerts is discouraged.
Output for event trigger
[pipeline:OutputPipeline:KafkaSink]
topic=lmio-events-complex
Warning
The event
trigger should not be used in alert's workflow declarations. Use notifications instead.
Worfklow
The location of workflows for alerts and incidents is always /Alerts/Workflow
.
Web APIs
Alerts provides one web API.
The Web API is designed for the communication with the UI.
[web]
listen=0.0.0.0 8953
The default port of the public web API is tcp/8953
.
This port is designed to serve as the NGINX upstream for connections from collectors.