22. 11. 2023 Attilio Broglio NetEye, Unified Monitoring

Improve Tornado Rules with a Mapping Modifier

Some years ago, one of my colleagues wrote an article about how to “Avoid Tornado Rules Repetition with a Map Post-modifier”. He presented an interesting and very useful way for creating Tornado rules without rewriting them. The core of his approach was based on the Mapping modifier, a functionality in the previous Tornado GUI that was a sort of hidden feature. In order to enable it, users needed to edit the rules in an “advanced” mode, adding the mapping modifier part inside the JSON configuration.

    "modifiers_post": [
      {
        "type": "Lowercase"
      },
      {
        "type": "Map",
        "mapping": {
          "high": "my-template-1",
          "medium": "my-template-2",
          "low": "my-template-3"
        },
        "default_value": null
      }
    ]

Beginning with NetEye 4.32, Wuerth Phoenix introduced a new tornado GUI that provides an easier configurator. So let’s see two use cases that we can simplify by using this modifier.

First use case

Suppose Tornado receives an event with an alarm-status-value of event.payload.alarm_status, and we want to set the exit status and exit_value for a smart_monitoring action. Using the with section with the mapping modifier, we can write 1 rule instead of 4. Let’s further assume that the alarm_status of the event can have one of the values (“clear”, “warn”, “fatal”, “unknown”), and from this we want to set the exit status to the Icinga value/label (0/”OK”, 1/”WARNING”, 2/”CRITICAL”, 3/”UNKNOWN”). Using the new dashboard we can add a “WITH” variable definition and click on the “+” button in modifier, choosing the “Map” options.

So we can perform this action for the two new variables exit_value and exit_label that can be used, for example, in the smart_monitoring_action linked to this rule:

Second use case

Tornado receives events from some devices with several fields, but only the IP address (in event.payload.address) can be used to identify the event source. These devices are kept in Icinga with a human friendly ID (i.e. FQDN ) rather than the IP address. When the user tries to add/remove a comment or change the status of the Host, it can’t link the event with the Icinga object because of the different keys.

A user can certainly write N rules (with an ad-hoc filter) that map in a hard-coded way the Hostname whenever the event has a particular IP, or instead they can use a mapping and write 1 single rule. In order to perform this, they can define a variable in the “WITH” section and then create a “look-up” table in the Mapping section.

Conclusion

This early feature available in the new Tornado GUI allows us to reduce the complexity of rules and to keep them maintainable and performance-friendly. Working this way can solve a lot of the problems surrounding scaling up and maintaining Tornado rules.

These Solutions are Engineered by Humans

Did you find this article interesting? Does it match your skill set? Programming is at the heart of how we develop customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.

Attilio Broglio

Attilio Broglio

Author

Attilio Broglio

Latest posts by Attilio Broglio

20. 03. 2024 Unified Monitoring
How to Monitor the TOP N RAM-Using Processes
20. 03. 2024 Unified Monitoring
How to Monitor the TOP N CPU-Using Processes
14. 03. 2024 NetEye, Unified Monitoring
How to Control Remote Devices from NagVis Maps via Tornado
28. 06. 2023 Icinga Web 2, NetEye
Add Host Custom Variables to the Service Overview
16. 05. 2023 NetEye, Unified Monitoring
Grafana and Icinga Agent Version
See All

Related Content

Tags:

14. 03. 2024 NetEye, Unified Monitoring

How to Control Remote Devices from NagVis Maps via Tornado

This article stems from a project on the remote control of devices using NagVis maps. The main purpose is to find an easy way to actuate a remote device through a click on an interface. To do this, we implemented Read More
23. 02. 2024 Log-SIEM, NetEye, Unified Monitoring

Monitoring Logs in Elasticsearch: A Practical Example

Say you want to monitor logs coming into your Elasticsearch instance, and have it send data to your Monitoring Dashboard. I'll show you how to do this with a practical example, in particular for an event coming from the Active Read More
13. 02. 2024 NetEye, Unified Monitoring

SNMP Trap Archiving in Elastic via Tornado

First of all, I'll briefly explain what the "Tornado" in NetEye actually is. Tornado is a Complex Event Processor that receives reports of events from data sources such as monitoring, email, and SNMP Traps, matches them against rules you've configured, Read More
20. 12. 2022 NetEye

How to Parse HTML Email Messages with Tornado

Tornado is a CEP "Complex Event Processor" that receives reports of events from data sources such as monitoring and email, matches them against preconfigured rules, and executes the actions associated with those rules. Some vendors provide static notification systems that Read More
28. 10. 2022 Contribution, NetEye

Receiving and Handling Incoming SMS’s on NetEye in Tornado (Part 1/2)

Most physical NetEye servers have an SMS Gateway attached in order to send CRITICAL notifications via an SMS message, since this will work even when the main network is down. However, sometimes you just want to send messages to your Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive