Events Analyser Reference

This is a reference for the Events Analyser utility. The Events Analyser configuration properties are found in $MOOGSOFT_HOME/config/events_analyser.conf.

entropy_calc

Entropy calculation method. Moogsoft recommends using the EntropyV2 calculation method for more accurate entropy values.

Type: String

Required: Yes

One of: EntropyV2, EntropyClassic

Default: "EntropyV2"

priming_source_data

Source data to use when priming the entropy value database table, that is, running the Events Analyser to calculate entropy values. By default, the priming source data is taken from tables in the main database schema called moogdb. timestamp_column is a column in the snapshots_table.

Type: String

Required: Yes

Default:

{
    "alerts_table" : "alerts",
    "events_table" : "events",
    "snapshots_table" : "snapshots",
    "timestamp_column" : "last_event_time"
  }

partition_by

Identifies the properties in each event that is used to partition them so that they are grouped separately by the Sigalisers. If partitioning is enabled, the following properties can be configured independently for each partition. See Configure Events Analyser for further details on partitions and configuration examples.

Type: String

Required: Yes

Default: null

Example: "partition_by" : "source"

fields

Properties in each event that contribute to the entropy value calculation.

Type: List of strings

Required: Yes

Default: "description"

mask

Token types to be included or excluded from entropy calculations. If a token type is set to false, the entropy calculation includes it. If it is set to true, the entropy calculation excludes the token type. Masking token types, such as dates or numbers, ensures that tokens are not given a higher entropy value than they should have because of unique numbers or dates.

Type: Boolean

Required: No

Default:

{
    "path" : false,
    "ip_address" : false,
    "mac_address" : false,
    "url" : false,
    "email" : false,
    "date_time" : true,
    "number" : true,
    "hex" : false,
    "oid" : false,
    "guid" : false,
    "stop_word" : false,
    "word" : false
  }

casefold

Whether the Events Analyser should consider tokens that differ only by case in entropy calculations.

Type: String

Required: Yes

Default: true

stop_words

Whether the Events Analyser should ignore specific tokens in entropy calculations. Stop words are small common words such as 'about', 'at' or 'the'.

Type: String

Required: Yes

Default: true

stop_word_length

The Events Analyser considers any token of this length or shorter to be a stop word and excludes it from entropy calculations. The default of 0 means that no words are considered as stop words.

Type: Number

Required: Yes

Default: 0

stop_word_file

Path (optional) and name of the file containing a list of stop words that the Events Analyser exclude from its entropy calculations. If you provide a file name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/. The Events Analyser uses the full path if you provide it. The default Moogsoft Enterprise implementation provides a file named stopwords in $MOOGSOFT_HOME/config/, which contains a list of common stop words.

Type: String

Required: Yes

Default: "stopwords"

priority_words

Whether the Events Analyser includes priority words in entropy calculations. The Events Analyser automatically assigns alerts that contain a priority word a maximum entropy value of 1.

Type: String

Required: Yes

Default: false

priority_word_file

Path (optional) and name of the file containing a list of priority words that the Events Analyser automatically assigns an entropy value of 1 in its entropy calculations. If you provide a file name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/. The Events Analyser uses the full path if you provide it. The file prioritywords in $MOOGSOFT_HOME/config/ is empty in the default Moogsoft Enterprise implementation.

Type: String

Required: Yes

Default: "prioritywords"

stemming

Whether the Events Analyser considers words with the same word stem as the same word in entropy calculations. For example, should the Events Analyser consider 'fail', 'fails', 'failed' and 'failing' as the same word.

Type: String

Required: Yes

Default: false

stemming_language

Language used in the events.

Type: String

Required: Yes

Default: "english"