Deployment guide
In order to work with lookups, the following deployment steps need to be taken. For more information about what lookups are and what they are use for, go to Lookups section.
1.) At every machine within the LogMan.io cluster, deploy one instance of LogMan.io Watcher.
2.) At every machine within the LogMan.io cluster, deploy one instance of LogMan.io Lookup Builder and one instance of LogMan.io IP Address Processing. The information about configuration and records in Docker Compose is located in the Builder Configuration section.
3.) Add the path to the /lookups folder to the Docker Compose volumes section of every LogMan.io Parsec, LogMan.io Correlator, LogMan.io Alerts and LogMan.io Baseliner instance. The path is by default:
volumes:
- /data/ssd/lookups:/lookups
4.) Include LogMan.io Watcher in the configuration file of every NGINX instance as location record to /api/lmio-lookups:
location /api/lmio-lookup {
auth_request /_oauth2_introspect;
rewrite ^/api/lmio-lookup/(.*) /$1 break;
proxy_pass http://lmio-watcher;
}
Notice the proxy_pass that points to lmio-watcher upstream, which should be defined at the top of each NGINX configuration file:
upstream lmio-watcher {
server HOSTNAME_OF_FIRST_SERVER_IN_THE_CLUSTER:8952 max_fails=0 fail_timeout=30s;
server HOSTNAME_OF_SECOND_SERVER_IN_THE_CLUSTER:8952 max_fails=0 fail_timeout=30s;
server HOSTNAME_OF_THIRD_SERVER_IN_THE_CLUSTER:8952 max_fails=0 fail_timeout=30s;
}
Replace HOSTNAME_OF_FIRST_SERVER_IN_THE_CLUSTER, HOSTNAME_OF_SECOND_SERVER_IN_THE_CLUSTER, HOSTNAME_OF_THIRD_SERVER_IN_THE_CLUSTER
with the hostnames of the servers that the LogMan.io Watcher is deployed to in the LogMan.io cluster environment.
5.) Include relevant enrichers in Parsec declarations, such as IP to GEO enrichment as shown below. For more information see the IP Lookups section.
---
define:
type: enricher/ip
group: geo
schema:
ecs:
postfix: geo.
That's it! Now you are ready to create lookup declarations and lookup content! See Lookups section for next steps.