Event Enrichment
This LogZilla App allows users to enrich incoming events matching a specified criteria (such as a string or a pattern). The typical use for this feature is to add metadata from external sources of information such as a Configuration Management Database (CMDB)
Once the events are enriched, the metadata will be available as User Tags.
App Installation and Configuration
Step 1 - Install
Click Install to install this application
Step 2 - Configure
SSH to the server and edit /etc/logzilla/apps/event_enrichment/config/config.yaml
with the samples below.
NOTE: You must have root permission in order to edit these files.
config.yaml
Filters
Filters provide the option to limit data enrichment to matched criteria.
Sample: match on incoming hosts, with an optional message filter
As an example, the following filter would allow setting event enrichment for hosts listed in the MetaData file (see below), but the filter adds additional criteria indicating that enrichment will only be applied if the event matches the specified host and contains foo
anywhere in the message.
---
- name: Host Lookup with pre-filter
metadata_file: metaData
lookup_field: host
filter:
- field: message
op: "=*"
value: foo
Note that the eq
field allows for different types of filter operators. Operators control the way the filter's match condition is applied. If no op
is supplied, the default operator eq
is assumed.
Operator | Match Type | Description |
---|---|---|
eq | String or Integer | Matches entire incoming message against the string/integer specified in the match condition |
ne | String or Integer | Does not match anything in the incoming message match field. |
gt | Integer Only | Given integer is greater than the incoming integer value |
lt | Integer Only | Given integer is less than the incoming integer value |
ge | Integer Only | Given integer is greater than or equal to the incoming integer value |
le | Integer Only | Given integer is less than or equal to the incoming integer value |
=~ | RegEx | Match based on RegEx pattern |
!~ | RegEx | Does not match based on RegEx pattern |
=* | RegEx | RegEx appears anywhere in the incoming message |
Sample: match on incoming messages (lookup_field), using a pattern for the lookup
Note that a lookup_re
applies to the lookup_field
(not a filter)
---
- name: Host Lookup with message IP pattern matching
metadata_file: metaData
lookup_field: message
lookup_re: "(\\d+\\.\\d+\\.\\d+\\.\\d+)"
Sample: Using multiple metadata files
---
- name: Simple Host Lookup
metadata_file: metaData1
lookup_field: host
- name: Simple Program Lookup
metadata_file: metaData2
lookup_field: program
Step 3 - Add Metadata
Create /etc/logzilla/apps/event_enrichment/config/metaData.yaml
with the following sample data (or modify as needed to suit your environment).
In the example below, each IP address is the start of the meta match from the rule specified above (lookup_field: host
).
metaData.yaml
---
"246.219.157.165":
DeviceID: "1001590"
Wan-Interface: GigabitEthernet1/0/1
Device-Role: "DC"
"107.122.210.185":
DeviceID: "3001590"
Wan-Interface: GigabitEthernet1/0/3
Device-Role: "Core"
"CE5-G":
DeviceID: "3301590"
Wan-Interface: Ethernet0/1
Device-Role: "Customer Edge"
"PE4":
DeviceID: "2401590"
Wan-Interface: Ethernet0/3
Device-Role: "Provider Edge"
Step 4 - Enable New Config
Reload the new rules by running logzilla rules reload
(or sudo logzilla rules reload
if you are not logged in as root)