21. 02. 2020 TobiasGoller Log Management, NetEye

Tornado Use Case with Elastic

Before I tell you about one of my latest customer requirements, I would like to briefly explain what our NetEye Tornado module is.

In our user guide you will see it written that Tornado is the successor to NetEye’s Event Handler. It is a plugin-based, stateless, scalable rule matching engine written in Rust, based on the Actix framework and focused on high performance. The Tornado engine is able to parse events emitted by rsyslog, snmptrapd and procmail, and then either write to a log file or run a custom script based on the rule set.

After this short explanation, I would now like to briefly explain one customer’s requirement.

This customer collects a lot of syslog messages from various devices, such as routers, switches, storage, etc. Depending on the device type, these syslog messages are assigned to a host group field in Elastic.

An SNMP TRAP message should be sent as soon as messages are registered in the Elastic LogManager that have the name network in the Hostgroup field, and have the severity set to critical.

How might one implement this requirement?

With the help of the current Elastic version, X-Pack, and our Tornado solution, I was able to fulfill the customer request. Here’s a quick description of how I did it:

  1. I built a watcher in Kibana that filters the Elastic data exactly according to these criteria, and then sends it to a Tornado Webhook.
  2. I created a Tornado Webhook to receive messages from an Elastic Watcher.
  3. After I configured this webhook, I created a Tornado rule which gets the data from the Tornado Webhook, and then calls a script in which I generate an SNMP TRAP, fill it with the information of the syslog messages, and then send it.

Conclusion:

By using the current Elastic version with X-Pack and our Tornado, it is finally possible to carry out actions based on indexed content within the Elastic database. As a result, our Log Manager solution has become even more complete, and its areas of application has become even more broad.

TobiasGoller

TobiasGoller

Consultant at Würth Phoenix
I’m Tobias and work as SI Consultant on different fields, for commercial products like VMware, Microsoft, Citrix but also for opensource projects like Nagios, OCS Inventory, GLPI NagVis, ntop and the best practice standard ITIL. I have also some certifications for this kind of activities which helps me to improve my activity on the job. I like to introduce the best solutions for the customer necessaries independently if it is a commercial or free product. One of my favorite hobbies is playing in the local music for wind band. As I live in the mountains I love hiking and last but not least I try to spend much of my free time with my family.

Author

TobiasGoller

I’m Tobias and work as SI Consultant on different fields, for commercial products like VMware, Microsoft, Citrix but also for opensource projects like Nagios, OCS Inventory, GLPI NagVis, ntop and the best practice standard ITIL. I have also some certifications for this kind of activities which helps me to improve my activity on the job. I like to introduce the best solutions for the customer necessaries independently if it is a commercial or free product. One of my favorite hobbies is playing in the local music for wind band. As I live in the mountains I love hiking and last but not least I try to spend much of my free time with my family.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive