Skip to content

Event Enrichment

This LogZilla App allows users to enrich incoming events matching a specified criteria (such as a string or a pattern). The typical use for this feature is to add metadata from external sources of information such as a Configuration Management Database (CMDB)

Once the events are enriched, the metadata will be available as User Tags.

App Installation and Configuration

Step 1 - Install

Click Install to install this application

Step 2 - Configure

SSH to the server and edit /etc/logzilla/apps/event_enrichment/config/config.yaml with the samples below.

NOTE: You must have root permission in order to edit these files.

config.yaml

---
- name: Simple Host Lookup
  metadata_file: metaData
  lookup_field: host

Filters

Filters provide the option to limit data enrichment to matched criteria.

Sample: match on incoming hosts, with an optional message filter

As an example, the following filter would allow setting event enrichment for hosts listed in the MetaData file (see below), but the filter adds additional criteria indicating that enrichment will only be applied if the event matches the specified host and contains foo anywhere in the message.

---
- name: Host Lookup with pre-filter
  metadata_file: metaData
  lookup_field: host
  filter:
  - field: message
    op: "=*"
    value: foo

Note that the eq field allows for different types of filter operators. Operators control the way the filter's match condition is applied. If no op is supplied, the default operator eq is assumed.

Operator Match Type Description
eq String or Integer Matches entire incoming message against the string/integer specified in the match condition
ne String or Integer Does not match anything in the incoming message match field.
gt Integer Only Given integer is greater than the incoming integer value
lt Integer Only Given integer is less than the incoming integer value
ge Integer Only Given integer is greater than or equal to the incoming integer value
le Integer Only Given integer is less than or equal to the incoming integer value
=~ RegEx Match based on RegEx pattern
!~ RegEx Does not match based on RegEx pattern
=* RegEx RegEx appears anywhere in the incoming message

Sample: match on incoming messages (lookup_field), using a pattern for the lookup

Note that a lookup_re applies to the lookup_field (not a filter)

---
- name: Host Lookup with message IP pattern matching
  metadata_file: metaData
  lookup_field: message
  lookup_re: "(\\d+\\.\\d+\\.\\d+\\.\\d+)"

Sample: Using multiple metadata files

---
- name: Simple Host Lookup
  metadata_file: metaData1
  lookup_field: host
- name: Simple Program Lookup
  metadata_file: metaData2
  lookup_field: program

Step 3 - Add Metadata

Create /etc/logzilla/apps/event_enrichment/config/metaData.yaml with the following sample data (or modify as needed to suit your environment).

In the example below, each IP address is the start of the meta match from the rule specified above (lookup_field: host).

metaData.yaml

---
"246.219.157.165":
  DeviceID: "1001590"
  Wan-Interface: GigabitEthernet1/0/1
  Device-Role: "DC"
"107.122.210.185":
  DeviceID: "3001590"
  Wan-Interface: GigabitEthernet1/0/3
  Device-Role: "Core"
"CE5-G":
  DeviceID: "3301590"
  Wan-Interface: Ethernet0/1
  Device-Role: "Customer Edge"
"PE4":
  DeviceID: "2401590"
  Wan-Interface: Ethernet0/3
  Device-Role: "Provider Edge"

Step 4 - Enable New Config

Reload the new rules by running logzilla rules reload (or sudo logzilla rules reload if you are not logged in as root)