Forum Discussion

ldoodle's avatar
ldoodle
Icon for Advisor rankAdvisor
3 months ago
Solved

Dynamic Device Groups - constrain membership to parent folder

Hi,

We have the following hierarchy setup:

Our company is top level, e.g. LOGICMONITOR
|--Customer Name, e.g. GOOGLE, MICROSOFT
|----’All Devices’ static group (when we add new devices, we add them here)
|----Category named group, e.g. ‘Infrastructure’ static group (with no actual devices added here)
|------Function named group, e.g. ‘Active Directory’, ‘DNS Server’, etc. dynamic group with custom query (hasCategory("MicrosoftDomainController"), hasCategory("Windows_DNS") etc.)

So:

LOGICMONITOR
|--GOOGLE
|----All Devices
|------DEVICE1 (pretend this is an AD server)
|------DEVICE2 (pretend this is an AD server)
|----Infrastructure
|------Active Directory
|--------DEVICE1 (correct)
|--------DEVICE2 (correct)
|--------DEVICE3 (incorrect)
|--------DEVICE4 (incorrect)
|------DNS Server
|--MICROSOFT
|----All Devices
|------DEVICE3 (pretend this is an AD server)
|------DEVICE4 (pretend this is an AD server)
|----Infrastructure
|------Active Directory
|--------DEVICE1 (incorrect)
|--------DEVICE2 (incorrect)
|--------DEVICE3 (correct)
|--------DEVICE4 (correct)
|------DNS Server
 

The problem with this, and it is partly a misunderstanding on my part, is that I expected the (nested) dynamic groups to automatically be constrained to their parent container.

How do I achieve this? The only thing I can think of is having the function-named group custom query be something like this:

join(system.groups,",")=~"GOOGLE/_All Devices" && hasCategory("MicrosoftDomainController")

But that means every dynamic group for every customer will need that, which is fine. But, is there a better, more native/default way?

Thanks

  • Stuart_Weenig's avatar
    Stuart_Weenig
    3 months ago

    So it seems tenant id would only work if each customer resourced is statically placed in a customer nested folder in the first place.

    Yes, the relationship between the device and the customer will have to be defined by you somewhere.

    It does seem a shame (maybe omission) that you can’t map a collector to its collector group and in turn the collector group name, since for us the collector group name is the exact acronym we need.

    You can do this. You just need to make an API call to grab the collector groups. Unintuitively, that wouldn’t be a call to /setting/collector/groups as that doesn’t return the IDs of the collectors in the group. Instead, do a get to /setting/collector/collectors/:id. This will give you back the collector’s group name (among other things, but we can specify that we only want collectorGroupName). 

    So, it would be something like this:

    import com.santaba.agent.util.Settings
    import groovy.json.*
    import javax.crypto.Mac
    import javax.crypto.spec.SecretKeySpec
    import org.apache.commons.codec.binary.Hex
    import org.apache.http.client.methods.*
    import org.apache.http.entity.*
    import org.apache.http.HttpEntity
    import org.apache.http.impl.client.*
    import org.apache.http.util.EntityUtils

    deviceCollectorId = hostProps.get("system.collectorId")
    collector = LM_API("GET","/setting/collector/collectors/${deviceCollectorId}","lmaccess",[:],["fields": "collectorGroupName"])
    if (collector.code == 200){
        println("organization=${collector?.body?.collectorGroupName}")
    }
    return 0

    def LM_API(httpVerb, endpointPath, creds="lmaccess", data = [:], queryParams=[:]){
        def api_id = hostProps.get("${creds}.id")
        def api_key = hostProps.get("${creds}.key")
        def api_company = hostProps.get("${creds}.company") ?: Settings.getSetting(Settings.AGENT_COMPANY)
        def queryParamsString = queryParams.collect{k,v->"${k}=${v}"}.join("&")
        def url = "https://${api_company}.logicmonitor.com/santaba/rest${endpointPath}?${queryParamsString}"
        epoch_time = System.currentTimeMillis()
        def json_data = JsonOutput.toJson(data)
        if ((httpVerb == "GET") || (httpVerb == "DELETE")){requestVars = httpVerb + epoch_time + endpointPath}
        else {requestVars = httpVerb + epoch_time + json_data + endpointPath}
        hmac = Mac.getInstance("HmacSHA256")
        secret = new SecretKeySpec(api_key.getBytes(), "HmacSHA256")
        hmac.init(secret)
        hmac_signed = Hex.encodeHexString(hmac.doFinal(requestVars.getBytes()))
        signature = hmac_signed.bytes.encodeBase64()
        CloseableHttpClient httpclient = HttpClients.createDefault()
        if (httpVerb == "GET"){http_request = new HttpGet(url)}
        else if (httpVerb == "PATCH"){
            http_request = new HttpPatch(url)
            http_request.setEntity(new StringEntity(json_data, ContentType.APPLICATION_JSON))}
        else if (httpVerb == "PUT"){
            http_request = new HttpPut(url)
            http_request.setEntity(new StringEntity(json_data, ContentType.APPLICATION_JSON))}
        else if (httpVerb == "POST"){
            http_request = new HttpPost(url)
            http_request.setEntity(new StringEntity(json_data, ContentType.APPLICATION_JSON))}
        else {http_request = null}
        if (http_request){
            http_request.setHeader("Authorization" , "LMv1 " + api_id + ":" + signature + ":" + epoch_time)
            http_request.setHeader("Accept", "application/json")
            http_request.setHeader("Content-type", "application/json")
            http_request.setHeader("X-Version", "3")
            response = httpclient.execute(http_request)
            body = EntityUtils.toString(response.getEntity())
            code = response.getStatusLine().getStatusCode()
            return ["body":new JsonSlurper().parseText(body), "code":code]}
        else {return ["body":"", "code": -1]}
    }

    You’d need to set properties at the root for lmaccess.id, lmaccess.key and optionally, lmaccess.company. If you wanted to generate an API credential set specifically to this task (and you should), just change the prefix in line 13 from “lmaccess” to whatever you want to prefix the properties with.

    This outputs a property called auto.organization with the value of the collector group name of the collector identified by system.collectorId.

28 Replies

Sort By
  • Stuart_Weenig's avatar
    Stuart_Weenig
    Icon for Legend rankLegend
    3 months ago

    We have almost the same group structure. What we do is make sure that every device belongs to one static group. We do this with automation. That static group allows its members to inherit the customer id property. Then we have a property source that takes that inherited property and makes it a device level property. Then each of our dynamic groups under our customers constrain on whatever their original applies to is, plus the device level customer id property.

  • Joe_Williams's avatar
    Joe_Williams
    Icon for Expert rankExpert
    3 months ago

    Have you looked into using the tenantid? After setting it in both the portal settings and on an folder, devices will inherit it, then a propertysource auto sets it as a system property.

    You can then use system.tenant.identifier as your property to match on.

  • Stuart_Weenig's avatar
    Stuart_Weenig
    Icon for Legend rankLegend
    3 months ago

    Have you looked into using the tenantid? After setting it in both the portal settings and on an folder, devices will inherit it, then a propertysource auto sets it as a system property.

    You can then use system.tenant.identifier as your property to match on.

    That’s probably the best way. It wasn’t available when we built out our group structure so we didn’t use it. But if i were to rebuild, that would be the way I’d go.

  • Stuart_Weenig's avatar
    Stuart_Weenig
    Icon for Legend rankLegend
    3 months ago

    One thing you may want to also keep in mind is supporting multiple collector groups per customer. Since collector groups also group together fail overs, you may have to create multiple ones if you don’t want to failover any customer collector to just any other customer collector. Especially across multiple sites which might not have connections between them or you don’t want to failover to another site over vpn.

    Yep, but only for ABCGs. If you’re manually defining the failover collector, collector group has no impact.

  • LMjosephBrett's avatar
    LMjosephBrett
    Icon for LM Conqueror rankLM Conqueror
    3 months ago

    Hey @ldoodle 

    So, for dynamic groups when it comes to properties, you cannot use inherited properties or categories as this could lead to circular references.  We don’t allow for circular references.  However, if you have a static group for all of your individual customer devices you can use that. 

    Using your initial example, you could use a join statement like this:

    join(system.staticgroups,",")=~"Google/All Devices"

    This will need to be used in every dynamic group under that customers group to ensure it’s querying only that customers devices.  But it should allow you to accomplish what you are looking to do.

    In the event that you didn’t see this support article already, this doc goes over appliesTo scripting:

    https://www.logicmonitor.com/support/terminology-syntax/scripting-support/what-is-lms 

  • Joe_Williams's avatar
    Joe_Williams
    Icon for Expert rankExpert
    3 months ago

    We have almost the same group structure. What we do is make sure that every device belongs to one static group. We do this with automation. That static group allows its members to inherit the customer id property. Then we have a property source that takes that inherited property and makes it a device level property. Then each of our dynamic groups under our customers constrain on whatever their original applies to is, plus the device level customer id property.

    This is how we basically do it as well. Each device lives in a tech stack folder (Firewalls/Routers/Switches/etc..) that live under a location folder that lives under a client id. We then have 10+ dynamic folders that build off of those items. 

    An example being something like

    join(system.staticgroups,",") =~ "CLIENTID" && join(system.staticgroups,",") =~ "Firewalls" && hasCategory("PaloAlto")

  • Stuart_Weenig's avatar
    Stuart_Weenig
    Icon for Legend rankLegend
    3 months ago

    In portal settings, you specify the name of the property that identifies the tenant. Then you set that property on the device, either directly or by specifying it as a group property that the device will inherit. Then some automagic happens to set the value of that property as the value of system.tenant.identifier.

  • Stuart_Weenig's avatar
    Stuart_Weenig
    Icon for Legend rankLegend
    3 months ago

    So it seems tenant id would only work if each customer resourced is statically placed in a customer nested folder in the first place.

    Yes, the relationship between the device and the customer will have to be defined by you somewhere.

    It does seem a shame (maybe omission) that you can’t map a collector to its collector group and in turn the collector group name, since for us the collector group name is the exact acronym we need.

    You can do this. You just need to make an API call to grab the collector groups. Unintuitively, that wouldn’t be a call to /setting/collector/groups as that doesn’t return the IDs of the collectors in the group. Instead, do a get to /setting/collector/collectors/:id. This will give you back the collector’s group name (among other things, but we can specify that we only want collectorGroupName). 

    So, it would be something like this:

    import com.santaba.agent.util.Settings
    import groovy.json.*
    import javax.crypto.Mac
    import javax.crypto.spec.SecretKeySpec
    import org.apache.commons.codec.binary.Hex
    import org.apache.http.client.methods.*
    import org.apache.http.entity.*
    import org.apache.http.HttpEntity
    import org.apache.http.impl.client.*
    import org.apache.http.util.EntityUtils

    deviceCollectorId = hostProps.get("system.collectorId")
    collector = LM_API("GET","/setting/collector/collectors/${deviceCollectorId}","lmaccess",[:],["fields": "collectorGroupName"])
    if (collector.code == 200){
        println("organization=${collector?.body?.collectorGroupName}")
    }
    return 0

    def LM_API(httpVerb, endpointPath, creds="lmaccess", data = [:], queryParams=[:]){
        def api_id = hostProps.get("${creds}.id")
        def api_key = hostProps.get("${creds}.key")
        def api_company = hostProps.get("${creds}.company") ?: Settings.getSetting(Settings.AGENT_COMPANY)
        def queryParamsString = queryParams.collect{k,v->"${k}=${v}"}.join("&")
        def url = "https://${api_company}.logicmonitor.com/santaba/rest${endpointPath}?${queryParamsString}"
        epoch_time = System.currentTimeMillis()
        def json_data = JsonOutput.toJson(data)
        if ((httpVerb == "GET") || (httpVerb == "DELETE")){requestVars = httpVerb + epoch_time + endpointPath}
        else {requestVars = httpVerb + epoch_time + json_data + endpointPath}
        hmac = Mac.getInstance("HmacSHA256")
        secret = new SecretKeySpec(api_key.getBytes(), "HmacSHA256")
        hmac.init(secret)
        hmac_signed = Hex.encodeHexString(hmac.doFinal(requestVars.getBytes()))
        signature = hmac_signed.bytes.encodeBase64()
        CloseableHttpClient httpclient = HttpClients.createDefault()
        if (httpVerb == "GET"){http_request = new HttpGet(url)}
        else if (httpVerb == "PATCH"){
            http_request = new HttpPatch(url)
            http_request.setEntity(new StringEntity(json_data, ContentType.APPLICATION_JSON))}
        else if (httpVerb == "PUT"){
            http_request = new HttpPut(url)
            http_request.setEntity(new StringEntity(json_data, ContentType.APPLICATION_JSON))}
        else if (httpVerb == "POST"){
            http_request = new HttpPost(url)
            http_request.setEntity(new StringEntity(json_data, ContentType.APPLICATION_JSON))}
        else {http_request = null}
        if (http_request){
            http_request.setHeader("Authorization" , "LMv1 " + api_id + ":" + signature + ":" + epoch_time)
            http_request.setHeader("Accept", "application/json")
            http_request.setHeader("Content-type", "application/json")
            http_request.setHeader("X-Version", "3")
            response = httpclient.execute(http_request)
            body = EntityUtils.toString(response.getEntity())
            code = response.getStatusLine().getStatusCode()
            return ["body":new JsonSlurper().parseText(body), "code":code]}
        else {return ["body":"", "code": -1]}
    }

    You’d need to set properties at the root for lmaccess.id, lmaccess.key and optionally, lmaccess.company. If you wanted to generate an API credential set specifically to this task (and you should), just change the prefix in line 13 from “lmaccess” to whatever you want to prefix the properties with.

    This outputs a property called auto.organization with the value of the collector group name of the collector identified by system.collectorId.

  • Stuart_Weenig's avatar
    Stuart_Weenig
    Icon for Legend rankLegend
    3 months ago

    Ha, this ain’t my first rodeo. Developing it would be even faster if LM supported python natively.

    Yes there is a way of defining it only once and importing it: collector snippets. However, LM doesn’t allow mere mortals like you and me to manage snippets. It’s exclusive to LM devs. Submit a feature request for it so i’m not the only one. 

    You can go the route of creating a full java library with that function in it and you could install that library into the groovy path on each collector.

    Or you can just include it at the bottom of each module you want to use it in (what I do).

  • ldoodle's avatar
    ldoodle
    Icon for Advisor rankAdvisor
    3 months ago

    Had a bit of panic as I could see it was working when testing but none of my dynamic groups were being populated. Then remembered on the other side of the pond you guys use z in organisation 😂

    @LMjosephBrett how do we submit feature requests? I have 2:

    1. Ability to create UDFs for importing in to scripts, e.g. within LogicModules, alongside AppliesTo Functions have a Script Functions group where we can put things like @Stuart Weenig LM_API function. Then in a PropertySource for example we can use the import tag, or an equivalent
    2. I still think collectorgroupid and collectorgroupdesc default properties should be a thing, and should be applied to every resource add the point of adding them, like collectorid and collectordesc are

    Thanks again for all the replies and help.