Moogsoft Docs

ExtraHop LAM Reference

This is a reference for the ExtraHop LAM . The ExtraHop LAM configuration file is located at $MOOGSOFT_HOME/config/extrahop_lam.conf

It contains the following sections and properties:

Monitor

name : The name of the LAM.

Type : String
Required : Yes
Default : "ExtraHop LAM" . Do not change.

class : The LAM class.

Type : String
Required : Yes
Default : " CRestMonitor" . Do not change.

port : Port on which Moogsoft AIOps receives data from ExtraHop.

Type : Integer
Required : Yes
Default : 48021

address : Host name or IP address of Moogsoft AIOps.

Type : String
Required : Yes
Default : "0.0.0.0" if on premise.

use_ssl: Defines whether to use Secure Sockets Layer (SSL) certification. If you set this to true , provide SSL certificate details.

Type : Boolean
Required
: Yes
Default
: false

path_to_ssl_files : Path to the directory that contains the SSL certificates. You can use a relative path based upon the $MOOGSOFT_HOME directory. For example the default config indicates $MOOGSOFT_HOME/config .

Type : String
Required : If use_ssl = true
Default : "config"

ssl_key_filename : Name of the SSL server key file.

Type : String
Required : If use_ssl is set to True
Default : N/A

ssl_cert_filename : Name of the SSL root CA file. Must reside in the location contained in path_to_ssl_files .

Type : String
Required : If use_ssl = true
Default : N/A

use_client_certificates : Defines whether to use SSL client certification.

Type : Boolean
Required
: If use_ssl = true
Default
: False

client_ca_filename : Name of the SSL client CA file. Must reside in the location contained in path_to_ssl_files .

Type : String
Required
: If use_client_certificates = true
Default
: N/A

auth_token : Authentication token in the request body. If you define a token you must include it in the body of all requests.

Type : String
Required
: No
Default
: N/A

encrypted_auth_token : Encrypted authentication token in the request body. If you define a token you must include it in the body of all requests. ExtraHop LAM can use e ither auth_token or encrypted_auth_token . The encrypted_auth_token property overrides auth_token .

Type : String
Required
: No
Default
: N/A

header_auth_token : Authentication token in the request header. If you define a token you must include it in the header of all requests.

Type : String
Required
: No
Default
: N/A

encrypted_header_auth_token : Encrypted authentication token in the request header. If you define a token you must include it in the header of all requests. ExtraHop LAM can use either header_auth_token or encrypted_header_auth_token . The encrypted_header_auth_token property overrides header_auth .

Type : String
Required
: No
Default
: N/A

ssl_protocols : Sets the allowed SSL protocols.

Type : Array

Required : If protocol = POP3S or IMAPS
Valid protocols : SSLv3, TLSv1, TLSv1.1, TLSv1.2
Default : [ "TLSv1.2" ]

authentication_type : Defines the HTTP authentication type ExtraHop uses. If set to basic ExtraHop LAM uses the Graze login.

Type : String
Required
: Yes
One of : basic, none
Default : "basic"

authentication_cache : Defines whether a hashed version of a user's password is kept in the internal cache for the duration of the connection. If set to true it enables faster event handling. If set to false users are authenticated with each request.

Type : Boolean
Required
: If authentication_type = basic
Default
: true

accept_all_json : Allows the ExtraHop LAM to read and process incoming requests using any valid form of JSON. If set to false, the LAM uses the Moogsoft AIOps REST LAM protocol . See Configure the REST LAM for further information.

Type : Boolean
Required
: Yes
Default
: true

lists_contain_multiple_events : Defi nes whether a JSON list is interpreted as multiple events.

Type : Boolean
Required
: If accept_all_json = true
Default
: true

num_threads : Number of worker threads to use. If you do not specify, it uses the number of available CPUs, up to a maximum of 8.

Type : Integer
Required : No
Default : 5

rest_response_mode: Determines when a REST response is sent for a request.

Type : String
Required : Yes
One of : on_receipt - Send a response when a valid event is received.
event_forwarded - Send a response when an event is sent to the message bus.
event_processed - Send a response when an event is processed by the moogfarmd AlertBuilder Moolet.
Default : "event_processed"

rpc_response_timeout : The length of time to wait for a REST response from the moogfarmd AlertBuilder Moolet, in seconds.

Type : Integer
Required
: If rest_response_mode = event_processed
Default
: 20

event_ack_mode : Determines when moogfarmd acknowledges events from the ExtraHop LAM.

Type : String
Required : Yes
One of : queued_for_processing - Acknowledge events when Moogsoft AIOps adds them to the Moolet queue.
event_processed - Acknowledge events when a Moolet processes them.
Default : "queued_for_processing"

Agent

name : Identifies the event sent to the message bus by the ExtraHop LAM.

Type : String
Required : Yes
Default : "ExtraHop"

log: Location of the ExtraHop LAM log file.

Type : String
Required : Yes
Default : "$MOOGSOFT_HOME/log/data-capture/extrahop_lam.log"