Monitoring event sources

This section provides information about monitoring event sources.

Source status

In KUMA, you can monitor the state of the sources of data received by collectors. There can be multiple sources of events on one server, and data from multiple sources can be received by one collector. KUMA creates event sources based on the following fields of events (the data in these fields is case sensitive):

• DeviceProduct is a required field.
• One of the DeviceHostname or DeviceAddress fields must be present.
• DeviceProcessName is an optional field.
• Tenant is a required field, which is determined automatically from the tenant of the event that was used to identify the source.

Limitations

1. KUMA registers an event source, provided that the DeviceAddress and DeviceProduct fields are contained in a raw event.

   If the raw event does not contain the DeviceAddress and DeviceProduct fields, you can configure enrichment in the normalizer: select the Event data type on the Enrichment tab of the normalizer, specify the values for the Source field parameter, select DeviceAddress and DeviceProduct for the Target field parameter, and click OK. KUMA will perform enrichment and register the event source.

2. If KUMA receives events with identical values of the DeviceProduct + DeviceHostname + DeviceAddress required fields, KUMA registers different sources if the following conditions are satisfied:
   • The values of the required fields are identical, but different tenants are determined for the events.
   • The values of the required fields are identical, but one of the events has an optional DeviceProcessName field specified.
   • The values of the required fields are identical, but the data in these fields have different character case.

   If you want KUMA to log such events under the same source, you can further configure the fields in the normalizer.

Lists of sources are generated in collectors, merged in the KUMA Core, and displayed in the program web interface under Source status on the List of event sources tab. Data is updated every minute.

The rate and number of incoming events serve as an important indicator of the state of the observed system. You can configure monitoring policies such that changes are tracked automatically and notifications are automatically created when indicators reach specific boundary values. Monitoring policies are displayed in the KUMA web interface under Source status on the Monitoring policies tab.

When monitoring policies are triggered, monitoring events are created and include data about the source of events.

List of event sources

Sources of events are displayed in the table under Source status → List of event sources. One page can display up to 250 sources. You can sort the table by clicking the column header of the relevant setting. Clicking on a source of events opens an incoming data graph.

You can use the Search field to search for event sources. The search is performed using regular expressions (RE2).

If necessary, you can configure the interval for updating data in the table. Available update periods: 1 minute, 5 minutes, 15 minutes, 1 hour. The default value is No refresh. You may need to configure the update period to track changes made to the list of sources.

The following columns are available:

• Status—status of the event source:
  • Green—events are being received within the limits of the assigned monitoring policy.
  • Red—the frequency or number of incoming events go beyond the boundaries defined in the monitoring policy.
  • Gray—a monitoring policy has not been assigned to the source of events.

  The table can be filtered by this setting.

• Name—name of the event source. The name is generated automatically from the following fields of events:
  • DeviceProduct
  • DeviceAddress and/or DeviceHostName
  • DeviceProcessName
  • Tenant

  You can change the name of an event source. The name can contain no more than 128 Unicode characters.

• Host name or IP address—host name or IP address from which the events were forwarded.
• Monitoring policy—name of the monitoring policy assigned to the event source.
• Stream—frequency at which events are received from the event source.
• Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
• Tenant—the tenant that owns the events received from the event source.

If you select sources of events, the following buttons become available:

• Save to CSV—you can use this button to export data of the selected event sources to a file named event-source-list.csv in UTF-8 encoding.
• Apply policy and Disable policy—you can use these buttons to enable or disable a monitoring policy for a source of events. When enabling a policy, you must select the policy from the drop-down list. When disabling a policy, you must select how long you want to disable the policy: temporarily or forever.

  If there is no policy for the selected event source, the Apply policy button is inactive. This button will also be inactive if sources from different tenants are selected, but the user has no available policies in the shared tenant.

  In some rare cases, the status of a disabled policy may change from gray to green a few seconds after it is disabled due to overlapping internal processes of KUMA. If this happens, you need to disable the monitoring policy again.

• Remove event source from the list—you can use this button to remove an event source from the table. The statistics on this source will also be removed. If a collector continues to receive data from the source, the event source will re-appear in the table but its old statistics will not be taken into account.

By default, no more than 250 event sources are displayed and, therefore, available for selection. If there are more event sources, to select them you must load additional event sources by clicking the Show next 250 button in the lower part of the window.

Monitoring policies

The rate and number of incoming events serve as an important indicator of the state of the system. For example, you can detect when there are too many events, too few, or none at all. Monitoring policies are designed to detect such situations. In a policy, you can specify a lower threshold, an optional upper threshold, and the way the events are counted: by frequency or by total number.

The policy must be applied to the event source. After applying the policy, you can monitor the status of the source: green means everything is OK, red means the stream is outside the configured threshold. If the status is red, an event of the Monitoring type generated. You can also configure notifications to be sent to an arbitrary email address. Policies for monitoring the sources of events are displayed in the table under Source status → Monitoring policies. You can sort the table by clicking the column header of the relevant setting. Clicking a policy opens the data area with policy settings. The settings can be edited.

To add a monitoring policy:

1. In the KUMA web interface, under Source status → Monitoring policies, click Add policy and define the settings in the opened window:
   1. In the Policy name field, enter a unique name for the policy you are creating. The name must contain 1 to 128 Unicode characters.
   2. In the Tenant drop-down list, select the tenant that will own the policy. Your tenant selection determines the specific sources of events that can covered by the monitoring policy.
   3. In the Policy type drop-down list, select one of the following options:
      • byCount—by the number of events over a certain period of time.
      • byEPS—by the number of events per second over a certain period of time. The average value over the entire period is calculated. You can additionally track spikes during specific periods.
   4. In the Lower limit and Upper limit fields, define the boundaries representing normal behavior. Deviations outside of these boundaries will trigger the monitoring policy, create an alert, and forward notifications.
   5. In the Count interval field, specify the period during which the monitoring policy must take into account the data from the monitoring source. The maximum value is 14 days.
   6. If necessary, specify the email addresses to which notifications about the activation of the KUMA monitoring policy should be sent. To add each address, click the Email button.

      To forward notifications, you must configure a connection to the SMTP server.

2. Click Add.

The monitoring policy will be added.

To remove a monitoring policy,

select one or more policies, then click Delete policy and confirm the action.

You cannot remove preinstalled monitoring policies or policies that have been assigned to data sources.