Skip to content

Deployment guide

In order to work with lookups, the following deployment steps need to be taken. For more information about what lookups are and what they are use for, go to Lookups section.

1.) At every machine within the cluster, deploy one instance of Watcher.

2.) At every machine within the cluster, deploy one instance of Lookup Builder and one instance of IP Address Processing. The information about configuration and records in Docker Compose is located in the Builder Configuration section.

3.) Add the path to the /lookups folder to the Docker Compose volumes section of every Parsec, Correlator, Alerts and Baseliner instance. The path is by default:

- /data/ssd/lookups:/lookups

4.) Include Watcher in the configuration file of every NGINX instance as location record to /api/lmio-lookups:

location /api/lmio-lookup {
    auth_request /_oauth2_introspect;
    rewrite ^/api/lmio-lookup/(.*) /$1 break;
    proxy_pass http://lmio-watcher;

Notice the proxy_pass that points to lmio-watcher upstream, which should be defined at the top of each NGINX configuration file:

upstream lmio-watcher {
    server HOSTNAME_OF_FIRST_SERVER_IN_THE_CLUSTER:8952 max_fails=0 fail_timeout=30s;
    server HOSTNAME_OF_SECOND_SERVER_IN_THE_CLUSTER:8952 max_fails=0 fail_timeout=30s;
    server HOSTNAME_OF_THIRD_SERVER_IN_THE_CLUSTER:8952 max_fails=0 fail_timeout=30s;

Replace HOSTNAME_OF_FIRST_SERVER_IN_THE_CLUSTER, HOSTNAME_OF_SECOND_SERVER_IN_THE_CLUSTER, HOSTNAME_OF_THIRD_SERVER_IN_THE_CLUSTER with the hostnames of the servers that the Watcher is deployed to in the cluster environment.

5.) Include relevant enrichers in Parsec declarations, such as IP to GEO enrichment as shown below. For more information see the IP Lookups section.

  type: enricher/ip
  group: geo

      postfix: geo.

That's it! Now you are ready to create lookup declarations and lookup content! See Lookups section for next steps.