Assure1 Event Watcher Custom Correlation Engine¶
Overview¶
The Assure1 Event Watcher Custom Correlation Engine is a digital pair of eyes that monitors the event stream for certain events within a specified time period and it performs basic event correlation. Watcher uses the defined policies to read the event database, and can then do one of the following if the configured threshold is breached:
-
Create a new event using a meta event template.
-
Send a notification via syslog, trap or email.
Assure1 has the following Watcher Policies by default:
-
Missing Syslog Heartbeat - This policy is configured to monitor for syslog messages received, and if no messages have been inserted in the last 15 minutes, a synthetic event is generated using a meta event template.
-
Login Failure x3 - This policy is configured to monitor for login failure events, and if there are 3 or more for a single device in the last 15 minutes, a synthetic event is generated using a meta event template.
Watcher Custom Correlation Engine Setup¶
The following steps show how to create a Watcher Policy to monitor for chosen events:
-
Add Watcher Policies or modify existing Watcher Policies:
-
Enable the default Service, unless a specific configuration option is needed.
Default Service¶
| Field | Value |
|---|---|
| Package Name | coreProcessing-app |
| Service Name | Event Watcher |
| Service Program | bin/core/processing/EventWatcherd |
| Service Arguments | |
| Service Description | Watcher Daemon that correlates custom policies as customer defined |
| Failover Type | Standalone (Supported: Standalone, Primary/Backup) |
| Status | Disabled |
| Privileged | (Checked) |
Default Configuration¶
| Name | Value | Possible Values | Notes |
|---|---|---|---|
| CheckTime | 900 | Integer | How often (in seconds) the application checks for new and removes old policies. |
| LogFile | logs/EventWatcher.log | Text, 255 characters | Relative path to Log File. |
| LogLevel | ERROR | OFF, FATAL, ERROR, WARN, INFO, DEBUG | Logging level used by application. |
| ShardID | 1 | Integer | Events database shard to run query on. 0 to run and check threshold on all shards individually. NOTE: Any violation Meta Events will be inserted into the same shard that triggered it. |
| Threads | 5 | Integer | Number of process threads created. |
Supported Meta Event/Notification Tokens¶
The following table shows the supported meta event tokens.
| Keyword | Description |
|---|---|
$WATCHERID |
Watcher policy ID |
$TIME |
UTC epoch |
$TIMESTAMP |
UTC epoch |
$TIMESTAMP_TEXT |
Long local timestamp |
$DATE_TEXT |
Long local timestamp |
$NAME |
Watcher policy name |
$FIELD |
Watcher policy aggregated Alarm field |
$METRIC |
Watcher policy aggregate metric (e.g. SUM, COUNT, etc) |
$OPERATOR |
Watcher policy compare operator |
$THRESHOLD |
Watcher policy threshold value |
$VALUE |
Aggregated value |
$GROUPBY |
Watcher policy Group By list |
$POLLTIME |
Watcher policy poll time (in seconds) |
$EVENTS |
Comma separated list of grouped alarm IDs that crossed threshold |
$SEVERITY_TEXT |
Severity{Clear, Unknown, Warning, Minor, Major, Critical} |
$EVENTID |
Meta Event ID that generated this alarm - Meta Event actions only |
$SHARDID |
ShardID generated from |
$NOTIFYPROFILEID |
Notification Profile ID that generated this message - Notification actions only |
$NOTIFYTEMPLATEID |
Notification Template ID that generated this message - Notification actions only |
<AlarmField> |
Alarm field information from the most recent matching alarm, where 'AlarmField' is the field to use from the Alarm table (e.g. \<EventID>, \<FirstReported>, \<Count>, etc). |
Administration Details¶
The following list shows the technical details needed for advanced administration of the application:
-
Package - coreProcessing-app
-
Synopsis -
./EventWatcherd [OPTIONS] -
Options:
-c, --AppConfigID N AppConfigID => Application Config ID (Service, Job, or Request ID) -?, -h, --Help Print usage and exit -
Threaded - Multi-Threaded