21. 02. 2020 TobiasGoller Log Management, NetEye

Tornado Use Case with Elastic

Before I tell you about one of my latest customer requirements, I would like to briefly explain what our NetEye Tornado module is.

In our user guide you will see it written that Tornado is the successor to NetEye’s Event Handler. It is a plugin-based, stateless, scalable rule matching engine written in Rust, based on the Actix framework and focused on high performance. The Tornado engine is able to parse events emitted by rsyslog, snmptrapd and procmail, and then either write to a log file or run a custom script based on the rule set.

After this short explanation, I would now like to briefly explain one customer’s requirement.

This customer collects a lot of syslog messages from various devices, such as routers, switches, storage, etc. Depending on the device type, these syslog messages are assigned to a host group field in Elastic.

An SNMP TRAP message should be sent as soon as messages are registered in the Elastic LogManager that have the name network in the Hostgroup field, and have the severity set to critical.

How might one implement this requirement?

With the help of the current Elastic version, X-Pack, and our Tornado solution, I was able to fulfill the customer request. Here’s a quick description of how I did it:

  1. I built a watcher in Kibana that filters the Elastic data exactly according to these criteria, and then sends it to a Tornado Webhook.
  2. I created a Tornado Webhook to receive messages from an Elastic Watcher.
  3. After I configured this webhook, I created a Tornado rule which gets the data from the Tornado Webhook, and then calls a script in which I generate an SNMP TRAP, fill it with the information of the syslog messages, and then send it.

Conclusion:

By using the current Elastic version with X-Pack and our Tornado, it is finally possible to carry out actions based on indexed content within the Elastic database. As a result, our Log Manager solution has become even more complete, and its areas of application has become even more broad.

TobiasGoller

TobiasGoller

NetEye Solution Architect at Würth Phoenix
I started my professional career as a system administrator. Over the years, my area of responsibility changed from administrative work to the architectural planning of systems. During my activities at Würth Phoenix, the focus of my area of responsibility changed to the installation and consulting of the IT system management solution WÜRTHPHOENIX NetEye. In the meantime, I take care of the implementation and planning of customer projects in the area of our unified monitoring solution.

Author

TobiasGoller

I started my professional career as a system administrator. Over the years, my area of responsibility changed from administrative work to the architectural planning of systems. During my activities at Würth Phoenix, the focus of my area of responsibility changed to the installation and consulting of the IT system management solution WÜRTHPHOENIX NetEye. In the meantime, I take care of the implementation and planning of customer projects in the area of our unified monitoring solution.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive