Forum Discussion

Antony_Hawkins's avatar
2 years ago

LM Portal Integration Events - EventSource to alert on Alerting Integration failures

What:

It’s an EventSource that calls recent Alert Integration events from the LM API (endpoint: /setting/integrations/auditlogs) , and alerts on any non-2xx responses.

Why:

Mostly because these failures aren’t glaringly obvious within the LM Envision UI; you have to actively go and look for them. This EventSource will let you alert on them within LM, both in the UI itself and also as an alert that can be escalated out.

Obvious caveat:

If you want to escalate alerts from this EventSource out of the platform, use an Alert Rule and an Escalation Chain to target the alerts and route them out via email/SMS/Voice call, not via an Alerting Integration. 😉

You will need:

A LogicMonitor Portal Resource, that all the core LogicMonitor_Portal_* LogicModules also apply to.

API credentials such as you’d already have set on this resource, as per our documentation:

https://www.logicmonitor.com/support/logicmonitor-portal-monitoring

The user that these credentials relate to must have read access to LM Audit Logs.

The EventSource will automatically apply to your Portal Resource and “just start working”.

If the API credentials don’t give sufficient rights to the Audit Logs, the EventSource will start alerting on that also (unfortunately, on each poll - you may want to watch it on implementation just to make sure it’s OK!)

Script uses Collector Script Cache to remember the most recent event seen on each poll, then look back only that far, to ensure full coverage with no overlap.

EventSource name: LogicMonitor_Portal_IntegrationEvents

Version 1.4 published with lmLocator: J3WPAR

  • You could create a datasource to query the logs and push them to your SIEM’s API log ingestion endpoint (assuming it has one). You would want to use the script cache to carry forward the timestamp of the last log sent during the previous poll. You can use this as an example.

    That’s for Audit logs or Collector logs, I presume?

    There is no API endpoint to extract logs from LM Logs.

    For the Audit Logs question, there is also a Community LogSource, “LM Audit Logs”, Locator: 43W643, that may be of interest.

  • Thomas’ LogSource caches the epoch time of each check, and calls the audit logs back to that cached time on the next call, ensuring full coverage without overlap.

  • Anonymous's avatar
    Anonymous

    Oh that’s good. Basically the same as mine then (except maybe the property enrichment). I’ll have to take a closer look at the code, but i didn’t see any cache calls.