LogMan.io Lookups are usually dynamical lists stored in ElasticSearch and updated via Kafka from any LogMan.io component such as Parser or Correlator, or via LogMan.io UI.

Dynamic lookups

Lookups allow to store information such as unsuccessful login attempts for a user, blocked IP addresses, firewall accesses for servers etc. In these cases, the lookup is created via LogMan.io UI and new items are added when a trigger happens in LogMan.io Correlator.

Accessing the lookup

The correlations or parsers may react to the updated lookup by using !LOOKUP.GET and !LOOKUP.CONTAINS expressions and adjust the parsing of the event or its evaluation accordingly.

Huge static lookups

Special lookups such as IPEnricher with a lot of shared data are loaded from files or from ZooKeeper and usually are not dynamically updated.

The lookup data for IPEnricher are loaded from a binary file created by LogMan.io Commander from a CSV text file.

For more information, see Lookup events and Parsing lookups sections.