Configure the SevOne LAM
The SevOne LAM allows you to collect alerts from one or more SevOne systems.
You can install a basic SevOne integration in the UI. See SevOne for integration steps.
Configure the SevOne LAM if you want to configure custom properties, set up high availability or configure advanced options that are not available in the UI integration.
Before You Begin
The SevOne LAM has been validated with SevOne v5.4. Before you configure the LAM, ensure you have met the following requirements for each SevOne server:
You have the API URL of your SevOne server.
The SevOne API URL is accessible from Moogsoft Onprem.
Your SevOne system is able to accept HTTPS requests.
If you are configuring a distributed deployment refer to High Availability Overview first. You will need the details of the server configuration you are going to use for HA.
Configure the LAM
Edit the configuration file to control the behavior of the SevOne LAM. You can find the file at $MOOGSOFT_HOME/config/sevone_lam.conf
.
See the SevOne Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.
Configure the connection properties for each target SevOne source:
url: The SevOne API URL.
username: Username of the account used to connect to the SevOne API.
password or encrypted password: Password or encrypted password of the account used to connect to the SevOne API.
Determine how to select and process SevOne events for each target:
page_size: Number of paginated results the SevOne API sends.
nms_login: Whether the SevOne API username and password are also valid for SevOne Network Management System (NMS)
alert_filter: A filter to limit the SevOne alerts to retrieve.
device_query: A query to retrieve device information for SevOne alerts.
object_query: A query to retrieve object information for SevOne alerts.
user_query: A query to retrieve user information for SevOne alerts.
requests_overlap: Period of time to delay processing duplicates.
overlap_identity_fields: List of payload tokens the LAM uses to identify duplicate events when SevOne returns all open events and not just updated events.
Configure the LAM behavior for each target:
num_threads: Number of worker threads to use when processing events.
request_interval: Length of time to wait between requests, in seconds.
max_retries: Number of times the LAM attempts to reconnect after connection failure.
retry_interval: Length of time to wait between reconnection attempts, in seconds.
recovery_interval: Length of time to wait between requests, in seconds, when the LAM re-establishes a connection after a failure.
max_lookback: Period of time for which to recover missed events, in seconds, when the LAM re-establishes a connection after a failure.
timeout: Length of time to wait before halting a connection or read attempt, in seconds.
Configure the SSL properties for each target if you want to encrypt communications between SevOne and Moogsoft Onprem:
disable_certification_validation: Whether to disable SSL certificate validation.
path_to_ssl_files: Path to the directory that contains the SSL certificates.
server_cert_filename: Name of the SSL root CA file.
client_key_filename: Name of the SSL client key file.
client_cert_filename: Name of the SSL client certificate.
If you want to connect to SevOne through a proxy server, configure the host, port, user, and password or encrypted password properties in the proxy section for the target.
Optionally configure the LAM identification and capture logging details:
name: Maps to
$Laminstancename
, so that theagent
field indicates events Moogsoft Onprem ingests from this LAM.capture_log: Name and location of the LAM's capture log file, which it writes to for debugging purposes.
Optionally configure severity conversion. See Severity Reference for further information and "Conversion Rules" in Tokenize Source Event Data for details on conversions in general.
Optionally configure the process logging details:
configuration_file: Name and location of the LAM's process log configuration file. See Configure Logging for more information.
Example
You can configure the SevOne LAM to retrieve events from one or more sources. The following example demonstrates a configuration that targets one SevOne source (target1
). If you have more than one source, add a target
section for each one and uncomment properties to enable them.
monitor: { name : "SevOne LAM", class : "CSevOneMonitor", request_interval : 60, max_retries : -1, retry_interval : 60, targets: { target1: { url: : "http://localhost:8080/api/v2/", request_interval : 60, max_retries : -1, retry_interval : 60, username : "SevOne_user", #password : "password", encrypted_password : "qJAFVXpNDTk6ANq65pEfVGNCu2vFdcoj70AF5BIebEc=", #proxy: #{ #host : "localhost", #port : 8181, #user : user, #password : "password", #encrypted_password : "tLSJCWlKSHl7SKw98lCgHWTQv5kLaksm42BP6XLgbWa&", #} disable_certificate_validation : true, #path_to_ssl_files : "config", #server_cert_filename : "server.crt", #client_key_filename : "client.key", #client_cert_filename : "client.crt", requests_overlap : 10, overlap_identity_fields : [ "id", "severity", "closed", "number" ], timeout : 120, page_size : 100, nms_login : false, retry_recovery: { recovery_interval : 20, max_lookback : -1 }, alert_filter: { "deviceId" : [ 0,1,2,3,4 ] }, device_query: { include_objects: false, include_indicators: false, local_only: true, fields: [ "id", "name", "alternateName", "description", "ipAddress", "pollFrequency", "lastDiscovery", "timezone", "numElements", "pluginInfo" ] }, object_query: { include_indicators: false, include_extended_info: true, fields: [ "id", "deviceId", "pluginId", "name", "description", "isEnabled", "isDeleted", "extendedInfo" ] }, user_query: { fields: [ "id", "username", "firstName", "lastName", "email", "isActive" ] }, } } }, agent: { name : "SevOneLam", capture_log : "$MOOGSOFT_HOME/log/data-capture/sevone_lam.log" }, log_config: { configuration_file : "$MOOGSOFT_HOME/config/logging/sevone_lam_log.json" },
Configure for High Availability
Configure the SevOne LAM for high availability if required. See High Availability Overview for details.
Configure LAMbot Processing
The SevOne LAMbot processes and filters events before sending them to the Message Bus. You can customize or bypass this processing if required. You can also load JavaScript files into the LAMbot and execute them.
See LAMbot Configuration for more information. An example SevOne LAM filter configuration is shown below.
filter: { presend: "SevOneLam.js", modules: [ "CommonUtils.js" ] }
Map LAM Properties
SevOne event properties are mapped by default to the following Moogsoft Onprem SevOne LAM properties. You can configure custom mappings in the SevOne LAMbot.
SevOne Event Property | SevOne LAM Event Property |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
| SevOne |
|
|
|
|
|
|
|
|
|
|
The overflow properties are mapped to "custom info" and appear under custom_info in Moogsoft Onprem alerts.
SevOne Event Property | SevOne LAM Overflow Property |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Start and Stop the LAM
Restart the SevOne LAM to activate any changes you make to the configuration file or LAMbot.
The LAM service name is sevonelamd
.
See Control Moogsoft Onprem Processes for further details.
If the LAM fails to connect to one or more SevOne sources, Moogsoft Onprem creates an alert and writes the details to the process log. Refer to the logging details for LAMs and integrations for more information.