Moogsoft Docs

Configure the Observe Polling LAM

The Observe Polling LAM allows you to retrieve alerts from Moogsoft Observe. The Observe Polling LAM is an HTTPS client that polls your Observe server at configurable intervals. It parses the JSON responses it receives into Moogsoft AIOps events.

You can install a basic Observe Polling integration via the UI. See Observe Polling for integration steps.

Configure the Observe Polling LAM if you want to configure custom properties, set up high availability or configure advanced options that are not available in the UI integration.

Before You Begin

Before you set up your Observe Polling LAM, ensure you have met the following requirements:

  • Access the Observe UI and go to Integrations > Moogsoft AIOps . Copy the following details:
    • Event Endpoint
    • JWT Bearer Token
  • The port for your Observe server is open and accessible from Moogsoft AIOps.

Configure the LAM

Edit the configuration file to control the behavior of the Observe Polling LAM. You can find the file at $MOOGSOFT_HOME/config/observe_client_lam.conf

See the Observe Polling LAM Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.

  1. Configure the connection properties for each Observe target:
    • url : The Event Endpoint from Observe.
    • authentication_type : Type of authentication used by the LAM. Defaults to JWT.
    • jwt_token : The JWT Bearer Token from Observe.
  2. Determine how to select and process Observe events for each target:
    • overlap_identity_fields : List of payload tokens the LAM uses to identify duplicate events when Observe returns all open events and not just updated events.
    • requests_overlap : Period of time to delay processing duplicates.
    • page_size : Number of paginated results Observe sends.
  3. Configure the LAM behavior for each target:
    • request_interval : Length of time to wait between requests, in seconds.
    • timeout : Length of time to wait before halting a connection or read attempt, in seconds.
    • num_threads : Number of worker threads to use.
  4. Configure the SSL properties if you want to use SSL:
    • disable_certificate_validation : Whether to disable SSL certificate validation.
    • path_to_ssl_files : Path to the directory that contains the SSL certificates.
    • server_cert_filename : Name of the SSL root CA file.
    • client_key_filename : Name of the SSL client key file.
    • client_cert_filename : Name of the SSL client certificate.
  5. Optionally configure the LAM identification and logging details in the agent section of the file:
    • name : Identifies events the LAM sends to the Message Bus.
    • capture_log : Name and location of the LAM's log file.
  6. Optionally configure severity conversions. See Severity Reference for further information and "Conversion Rules" in Data Parsing for details on conversions in general.

Example

You can configure the Observe Polling LAM to retrieve events from one or more targets. The following example demonstrates a configuration that targets two Observe sources. For a single source, comment out the target2 section. If you have more than two sources, add a target section for each one and uncomment properties to enable them.

In the following example, the Observe Polling LAM is configured to poll two Observe instances:

monitor:
{
	name                    				: "Observe Client Monitor",
	class                   				: "CRestClientMonitor",
	request_interval         				: 60,
	targets:
	{
		target1:
		{
			#request_interval 				: 60,
			authentication_type				: "jwt_token",
			url 							: "https://observeserver1/observe/controller/api/v1/events",
			jwt_token						: "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjb2xsZWN0b3JfMTQiLCJqdGkiOiI5NCJ9.FfpqmZR-QF9sXUTyJHvPEycMwXglFfV2sBcBvcZ3Tec",
			timeout 						: 120,
			disable_certificate_validation 	: true,
			path_to_ssl_files 				: "config",
			server_cert_filename 			: "server.crt",
			#client_key_filename 			: "client.key",
			#client_cert_filename 			: "client.crt",
			requests_overlap 				: 10,
			#num_threads 					: 5,
			overlap_identity_fields 		: [ "signature", "severity" ],
			#page_size						: 1000
		},
		target2:
		{
			url								: "https://observeserver2/observe/controller/api/v1/events",
			authentication_type				: "jwt_token",
			jwt_token						: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.FCLHrMWgrYUZ_B3vwKbZoF-ZnQkAZ1eOMNfvZ3YxdRU",
			timeout							: 120,
			disable_certificate_validation	: false,
			path_to_ssl_files				: "config",
			requests_overlap				: 10,
			overlap_identity_fields			: [ "signature", "severity" ],
			page_size						: 1000
		}
	}
},
agent:
{
	name    								: "Observe Client",
	capture_log    							: "$MOOGSOFT_HOME/log/data-capture/observe_client_lam.log"
},

Configure for High Availability

Configure the Observe Polling LAM for high availability if required. See Integrations HA Configuration for details.

Configure LAMbot Processing

The Observe Polling LAMbot processes and filters events before sending them to the Message Bus. You can customize or bypass this processing if required. You can also load JavaScript files into the LAMbot and execute them.

See LAMbot Configuration for more information. An example Observe Polling LAM filter configuration is shown below.

filter: 
{
	presend: "ObserveClientLam.js",
	modules: [ "CommonUtils.js" ]
}

Map LAM Properties

You can configure custom mappings in the Observe Polling LAMbot. See Advanced Integration information for details.

By default, Observe event properties map to Moogsoft AIOps Observe Polling LAM properties:

Observe Event Property

Observe LAM Event Property

agent $agent
agent_location $agent_location
agent_time $agent_time
class $class
description $summary: $description
external_id $external_id
manager $manager
severity $severity
signature $signature
source $source
source_id $source_id
type $type

The overflow properties are mapped to "custom info" and appear under custom_info in Moogsoft AIOps alerts:

Observe Event Property

Observe LAM Overflow Property

collector eventDetails.collector
instance eventDetails.instance
key eventDetails.key

Start and Stop the LAM

Restart the Observe Polling LAM to activate any changes you make to the configuration file or LAMbot.

The LAM service name is observeclientlamd .

See Control Moogsoft AIOps Processes for the commands to start, stop and restart the LAM.