LM Portal Integration Events - EventSource to alert on Alerting Integration failures

Glad to see this formally built out by LogicMonitor at this point, I know quite a few customers have had to implement custom solutions historically. I think having this functionality for both an EventSource and in LM Logs would be great.

Now - when are we finally going to get formal support for ingesting Collector logs into LM Logs? I’d love to leverage anomalies with Collector log data.

Ah yes, sorry Stuart, I was a little previous in posting.

Now cleared through security review, should be visible.

It did also occur overnight that pushing these integration events into LM Logs is an easy extension from this point, by a relatively simple combination of parts of this script and parts of other, existing, modules.

Hold my beer...

Not finding it. Possibly still under review?

That’s for Audit logs or Collector logs, I presume?

Audit logs to LM Logs

There is no API endpoint to extract logs from LM Logs.

I’m not talking about extracting them from LM Logs. I’m talking about getting it directly from the audit logs and sending to the SIEM. There’s no API for a lot of things.

For the Audit Logs question, there is also a Community LogSource, “LM Audit Logs”, Locator: 43W643, that may be of interest.

Props to Thomas, but there’s a high probability of logs getting missed using that method. Gotta use the script cache to recall the timestamp of the oldest log fetched during the previous poll. Mine gets down to the second (or ms?) and makes sure there are no missed entries.

Yeah, was gonna suggest that. SImilar to what I did with audit logs.

Glad to see this formally built out by LogicMonitor at this point

This isn’t supported by LM. It’s got the same level of support as any custom module built by any LM customer. Wish it was.

Now - when are we finally going to get formal support for ingesting Collector logs into LM Logs? I’d love to leverage anomalies with Collector log data.

Completely agree. Pushing audit logs and collector logs into LM Logs should be a no brainer and should either be the default, or require only a checkbox, provided those logs don’t count against license counts. That should be pretty easy by having metadata provided with the log that excludes it from counts.

Also offloading logs would be nice. Our SOC has requested we ship logs to our SIEM, but there is no real easy way to accomplish this.

As already mentioned above, this isn’t formally built out by LogicMonitor; it’s a “side project” / POC module authored by me as an individual who coincidentally happens to be on the LM payroll. It hasn’t gone through any “gold standard” reviewing (other than security review, of course), so, no guarantees for efficiency, no official support, etc.

Coincidentally also, I’ve been thinking about collector logs to LM Logs; it’s simple enough technically (just a mix of my Collector ConfigSources and any other API logs ingest) but as an unofficial build they’d absolutely count towards your consumed, billable, ingest. It’s kind of on my side list of “things to put together”, I just haven’t found the time yet.

I also don’t disagree with Stuart’s comments on default ingest of such things; feel free (if you haven’t already) to submit this as a feature request.

You could create a datasource to query the logs and push them to your SIEM’s API log ingestion endpoint (assuming it has one). You would want to use the script cache to carry forward the timestamp of the last log sent during the previous poll. You can use this as an example.