Source status

In KUMA, you can monitor the state of the sources of data received by collectors. There can be multiple sources of events on one server, and data from multiple sources can be received by one collector. Sources of events are identified based on the following fields of events (the data in these fields is case sensitive):

• DeviceProduct
• DeviceAddress and/or DeviceHostName

Lists of sources are generated in collectors, merged in the KUMA Core, and displayed in the program web interface under Source status on the List of event sources tab. Data is updated every minute.

The rate and number of incoming events serve as an important indicator of the state of the observed system. You can configure monitoring policies such that changes are tracked automatically and notifications are automatically created when indicators reach specific boundary values. Monitoring policies are displayed in the KUMA web interface under Source status on the Monitoring policies tab.

When monitoring policies are triggered, monitoring events are created and include data about the source of events.

List of event sources

Sources of events are displayed in the table under Source status → List of event sources. One page can display up to 250 sources. You can sort the table by clicking the column header of the relevant setting. Clicking on a source of events opens an incoming data graph.

You can use the Search field to search for event sources. The search is performed using regular expressions (RE2).

If necessary, you can configure the interval for updating data in the table. Available update periods: 1 minute, 5 minutes, 15 minutes, 1 hour. The default value is No refresh. You may need to configure the update period to track changes made to the list of sources.

The following columns are available:

• Status—status of the event source:
  • Green—events are being received within the limits of the assigned monitoring policy.
  • Red—the frequency or number of incoming events go beyond the boundaries defined in the monitoring policy.
  • Gray—a monitoring policy has not been assigned to the source of events.

  The table can be filtered by this setting.

• Name—name of the event source. The name is generated automatically from the following fields of events:
  • DeviceProduct
  • DeviceAddress and/or DeviceHostName
  • DeviceProcessName
  • Tenant

  You can change the name of an event source. The name can contain no more than 128 Unicode characters.

• Host name or IP address—host name or IP address from which the events were forwarded.
• Monitoring policy—name of the monitoring policy assigned to the event source.
• Stream—frequency at which events are received from the event source.
• Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Tenant—the tenant that owns the events received from the event source.

If you select sources of events, the following buttons become available:

• Save to CSV—you can use this button to export data of the selected event sources to a file named event-source-list.csv in UTF-8 encoding.
• Apply policy and Disable policy—you can use these buttons to enable or disable a monitoring policy for a source of events. When enabling a policy, you must select the policy from the drop-down list. When disabling a policy, you must select how long you want to disable the policy: temporarily or forever.

  If there is no policy for the selected event source, the Apply policy button is inactive. This button will also be inactive if sources from different tenants are selected, but the user has no available policies in the shared tenant.

  In some rare cases, the status of a disabled policy may change from gray to green a few seconds after it is disabled due to overlapping internal processes of KUMA. If this happens, you need to disable the monitoring policy again.

• Remove event source from the list—you can use this button to remove an event source from the table. The statistics on this source will also be removed. If a collector continues to receive data from the source, the event source will re-appear in the table but its old statistics will not be taken into account.

By default, no more than 250 event sources are displayed and, therefore, available for selection. If there are more event sources, to select them you must load additional event sources by clicking the Show next 250 button in the lower part of the window.

Monitoring policies

Policies for monitoring the sources of events are displayed in the table under Source status → Monitoring policies. You can sort the table by clicking the column header of the relevant setting. Clicking on a policy opens an information pane containing its settings that can be edited.

The following columns are available:

• Name—name of the monitoring policy.
• Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Interval—period taken into account by the monitoring policy.
• Type—type of monitoring policy:
  • byCount—the monitoring policy tracks the number of incoming events.
  • byEPS—the monitoring policy tracks the rate of incoming events.
• Tenant—the tenant that owns the monitoring policy.

To add a monitoring policy:

1. In the KUMA web interface, under Source status → Monitoring policies, click Add policy and define the settings in the opened window:
   • In the Policy name field, enter a unique name for the policy you are creating. The name must contain from 1 to 128 Unicode characters.
   • In the Tenant drop-down list, select the tenant that will own the policy. Your tenant selection determines the specific sources of events that can covered by the monitoring policy.
   • In the Policy type drop-down list, select the method used to track incoming events: by rate or by number.
   • In the Lower limit and Upper limit fields, define the boundaries representing normal behavior. Deviations outside of these boundaries will trigger the monitoring policy, create an alert, and forward notifications.
   • In the Count interval field, specify the period during which the monitoring policy must take into account the data from the monitoring source. The maximum value is 14 days.
   • If necessary, specify the email addresses to which notifications about the activation of the KUMA monitoring policy should be sent. To add each address, click the Email button.

     To forward notifications, you must configure a connection to the SMTP server.

2. Click Add.

The monitoring policy will be added.

To remove a monitoring policy,

select one or more policies, then click Delete policy and confirm the action.

You cannot remove preinstalled monitoring policies or policies that have been assigned to data sources.