Events Analyser Reference
This is a reference for the Events Analyser utility. The Events
Analyser configuration properties are found in $MOOGSOFT_HOME/config/events_analyser.conf
.
entropy_calc
Entropy calculation method. Moogsoft recommends using the EntropyV2 calculation method for more accurate entropy values.
Type: String
Required: Yes
One of: EntropyV2
,
EntropyClassic
Default: "EntropyV2"
priming_source_data
Source data to use when priming the entropy value database table, that is, running the Events
Analyser to calculate entropy values. By default, the priming source data is taken from tables in
the main database schema called moogdb. timestamp_column
is a column in
the snapshots_table
.
Type: String
Required: Yes
Default:
{ "alerts_table" : "alerts", "events_table" : "events", "snapshots_table" : "snapshots", "timestamp_column" : "last_event_time" }
partition_by
Identifies the properties in each event that is used to partition them so that they are grouped separately by the Sigalisers. If partitioning is enabled, the following properties can be configured independently for each partition. See Configure Events Analyser for further details on partitions and configuration examples.
Type: String
Required: Yes
Default: null
Example: "partition_by" : "source"
fields
Properties in each event that contribute to the entropy value calculation.
Type: List of strings
Required: Yes
Default: "description"
mask
Token types to be included or excluded from entropy calculations. If a token type is set to false
, the entropy calculation includes it. If it is set to true
, the entropy calculation excludes the token type. Masking token types,
such as dates or numbers, ensures that tokens are not given a higher entropy value than they
should have because of unique numbers or dates.
Type: Boolean
Required: No
Default:
{ "path" : false, "ip_address" : false, "mac_address" : false, "url" : false, "email" : false, "date_time" : true, "number" : true, "hex" : false, "oid" : false, "guid" : false, "stop_word" : false, "word" : false }
casefold
Whether the Events Analyser should consider tokens that differ only by case in entropy calculations.
Type: String
Required: Yes
Default: true
stop_words
Whether the Events Analyser should ignore specific tokens in entropy calculations. Stop words are small common words such as 'about', 'at' or 'the'.
Type: String
Required: Yes
Default: true
stop_word_length
The Events Analyser considers any token of this length or shorter to be a stop word and excludes it from entropy calculations. The default of 0 means that no words are considered as stop words.
Type: Number
Required: Yes
Default: 0
stop_word_file
Path (optional) and name of the file containing a list of stop words that the Events Analyser
exclude from its entropy calculations. If you provide a file name only, the Events Analyser
assumes the path $MOOGSOFT_HOME/config/
. The Events Analyser uses the
full path if you provide it. The default Moogsoft AIOps implementation
provides a file named stopwords
in $MOOGSOFT_HOME/config/
, which contains a list of common stop words.
Type: String
Required: Yes
Default: "stopwords"
priority_words
Whether the Events Analyser includes priority words in entropy calculations. The Events Analyser automatically assigns alerts that contain a priority word a maximum entropy value of 1.
Type: String
Required: Yes
Default: false
priority_word_file
Path (optional) and name of the file containing a list of priority words that the Events Analyser
automatically assigns an entropy value of 1 in its entropy calculations. If you provide a file
name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/
.
The Events Analyser uses the full path if you provide it. The file prioritywords
in $MOOGSOFT_HOME/config/
is empty
in the default Moogsoft AIOps implementation.
Type: String
Required: Yes
Default: "prioritywords"
stemming
Whether the Events Analyser considers words with the same word stem as the same word in entropy calculations. For example, should the Events Analyser consider 'fail', 'fails', 'failed' and 'failing' as the same word.
Type: String
Required: Yes
Default: false
stemming_language
Language used in the events.
Type: String
Required: Yes
Default: "english"