Moogsoft Docs

Configure the ExtraHop LAM

Th e ExtraHop LAM posts ExtraHops alerts to Moogsoft AIOps as events.

You can install a basic ExtraHop integration via the UI by supplying connection details and configuring a few parameters. See ExtraHop for integration steps.

Configure the ExtraHop LAM if you want to configure custom properties, set up high availability or configure advanced options that are not available in the UI integration.

Before You Begin

Before you configure the ExtraHop LAM, ensure you have met the following requirements :

  • You have an active ExtraHop account.
  • You have the necessary permissions to access system configuration and add data stream targets in ExtraHop.
  • ExtraHop can make requests to external endpoints over port 443.

If you are configuring a distributed deployment refer to High Availability first. You will need the details of the server configuration you are going to use for HA.

Configure the LAM

Edit the configuration file to control the behavior of the ExtraHop LAM. You can find the file at $MOOGSOFT_HOME/config/sumo_logic_lam.conf

See the ExtraHop LAM Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them .

  1. Configure the connection properties for ExtraHop:
    • address : Host name or IP address of Moogsoft AIOps.
    • port : Port on which Moogsoft AIOps receives data from ExtraHop.

  2. Configure authentication:
    • authentication_type : Type of authentication HTTP used by the LAM. Defaults to Basic.
    • authentication_cache : Whether to cache the username and password for the current connection when the authentication type is Basic.

  3. Configure the LAM behavior:
    • num_threads : Number of worker threads to use.
    • rest_response_mode : When to send a REST response. See the ExtraHop LAM Reference for the options.
    • rpc_response_timeout : Number of seconds to wait for a REST response.
    • event_ack_mode : When moogfarmd acknowledges events from the ExtraHop LAM during the event processing pipeline.

    • accept_all_json : Allows the LAM to read and process all forms of JSON.
    • lists_contain_multiple_events : Whether Moogsoft AIOPs interprets a JSON list as multiple events.

  4. Configure the SSL properties if you want to encrypt communications between the LAM and ExtraHop:
    • use_ssl : Whether to use SSL certification.
    • path_to_ssl_files : Path to the directory that contains the SSL certificates.
    • ssl_key_filename : The SSL server key file.
    • ssl_cert_filename : The SSL root CA file.
    • use_client_certificates : Whether to use SSL client certification.
    • client_ca_filename : The SSL client CA file.
    • auth_token or encrypted_auth_token : Authentication token in the request body.
    • header_auth_token or encrypted_header_auth_token : Authentication token in the request header.
    • ssl_protocols : Sets the allowed SSL protocols.

  5. Optionally configure the LAM identification and the log file details:

    • name : Identifies the event sent to the message bus by the ExtraHop LAM.
    • log : Name and location of the ExtraHop LAM log file.

  6. Review the severity conversion rules and modify if required. See Severity Reference for details.

Configure ExtraHop

Follow the instructions under Configure ExtraHop .

Example

The following example demonstrates an example ExtraHop configuration.

monitor:
	{
		name					 	  : "ExtraHop Lam",
        class                    	  : "CRestMonitor",
        port                     	  : 48021,
        address                  	  : "0.0.0.0",
        use_ssl                  	  : false,
        #path_to_ssl_files       	  : "config",
        #ssl_key_filename        	  : "server.key",
        #ssl_cert_filename       	  : "server.pem",
        #use_client_certificates 	  : false,
        #client_ca_filename      	  : "ca.crt",
        #auth_token              	  : "my_secret",
        #encrypted_auth_token    	  : "dfJtTQMGiFHfiq7sCmxguBt6Jv+eytkoiKCquSB/7iWxpgGsG2aez3z2j7SuBtKj",
		#header_auth_token            : "my_secret",
		#encrypted_header_auth_token  : "dfJtTQMGiFHfiq7sCmxguBt6Jv+eytkoiKCquSB/7iWxpgGsG2aez3z2j7SuBtKj",
		#ssl_protocols				  : [ "TLSv1.2" ],
		authentication_type			  : "basic",
		authentication_cache		  : true,
		accept_all_json          	  : true,
		lists_contain_multiple_events : false,
		num_threads              	  : 5,
		rest_response_mode 	 		  : "on_receipt",
		rpc_response_timeout		  : 20,
		event_ack_mode 				  : "queued_for_processing"
	}

Configure for High Availability

Configure the ExtraHop LAM for high availability if required. See Integrations HA Configuration for details.

Configure LAMbot Filtering

The ExtraHop LAMbot filters and processes ExtraHop LAM events using the "ExtraHopLam.js" stream, then sends them to the message bus.

The LAMbot moves overflow properties to custom info and performs any filtering you configure in the LAMbot file. See Data Parsing for details.

If you don’t want to map overflow properties, you can comment out the presend property in the filter section to bypass the LAMbot and send events straight to the message bus. This speeds up processing if you have a high volume of incoming ExtraHop alerts.

Alternatively, you can define a custom stream to receive ExtraHop LAM events. See Alert Builder Moolet for details.

filter:
	{
		presend: "ExtraHopLam.js"
		modules: ["CommonUtils.js"]
	}

Start and Stop the LAM

Restart the ExtraHop LAM to activate any changes you make to the configuration file or LAMbot.

The LAM service name is extrahoplamd .

See Control Moogsoft AIOps Processes for the commands to start, stop and restart the LAM.

You can use a GET request to check the status of the ExtraHop LAM. The request uses the authentication type and header authentication token defined in the ExtraHop LAM configuration file . See Check the LAM Status in the REST LAM Configuration Guide for further information and examples.