Skip to content

Latest commit

 

History

History
301 lines (231 loc) · 15.2 KB

README.md

File metadata and controls

301 lines (231 loc) · 15.2 KB

LogicMonitor Integration Pack

Pack which allows integration with your company's LogicMonitor Portal.

General Overview and Setup

LogicMonitor now supports StackStorm as an official Integration!

You can now create a StackStorm Integration inside your LogicMonitor Portal which can be used to send your LogicMonitor Alerts to your StackStorm environment which provides a way for you to automate your response to any type of alert you receive.

Configuration & Setup

This LogicMonitor Pack must be used in conjunction with a StackStorm Integration inside your LogicMonitor Portal:

  • Install the LogicMonitor Pack into your StackStorm environment.
    • Setup the pack's configuration file.
      • Requires your company name as it exists in your LogicMonitor URL.
      • Requires a valid LogicMonitor API Access ID and Access Key pair.
  • Create a StackStorm Integration in your LogicMonitor Portal.
    • Settings -> Integrations -> Add -> StackStorm
    • Requires a StackStorm API Key and the URL to your StackStorm environment.

Networking

The LogicMonitor Pack creates a webhook-sensor (a Flask server) that is launched on port 5000 (or a port of your choosing) on the machine where StackStorm is installed. You must allow internet traffic to reach port 5000 (or your custom port) on the machine on which StackStorm has been installed. This step is documented in more detail below.

Pack Description

The LogicMonitor Pack includes a set of Rules that can fire an action when an alert of a certain type is sent to StackStorm.

The LogicMonitor Pack includes a set of Actions that make REST Requests to your LogicMonitor Portal.

Everything in this section is described in more detail below.

Configuration File

Copy the example configuration in logicmonitor.yaml.example to /opt/stackstorm/configs/logicmonitor.yaml and edit as required.

It must contain:

  • company - The name of your company as seen in your LogicMonitor portal's url.
  • access_id - The Access ID of your LogicMonitor API Token
  • access_key - (SECRET) - The Access Key of your LogicMonitor API Token

    WARNING: access_key is a secret value so don't save it in /opt/stackstorm/configs/logicmonitor.yaml directly as clear text. Instead, use StackStorm's dynamic configuration values to securely store it inside StackStorm by using the following command:

    st2 key set --scope=user --encrypt -- lm_access_key "YOUR_ACCESS_KEY"

    Once that command succeeds populate the access_key field with "{{st2kv.user.lm_access_key}}".

  • auth_enabled - True or false, defaults to true.

SECURITY WARNING : You are supplying a LogicMonitor API Token to your LogicMonitor Pack! Please apply the Principle of Least Privilege as described in this security snippet.

NOTE : When modifying the configuration in /opt/stackstorm/configs/ please remember to tell StackStorm to load these new values by running st2ctl reload --register-configs

Sensor & Port 5000 & Networking

Custom Port

The LogicMonitor Pack launches a webhook-sensor (a Flask server) on port 5000 by default. You can choose a custom port on which to launch the webhook-sensor by modifying the /opt/stackstorm/packs/logicmonitor/sensors/logicmonitor_sensor.py file. Once the port has been changed, run the st2 pack register logicmonitor terminal command to reload the pack and relaunch the sensor-webhook on your custom port. If that command fails, use st2ctl reload.

Networking: Allowing LogicMonitor Traffic to Reach Your StackStorm Machine

Be sure to modify your network settings to allow internet traffic to reach port 5000 (or your custom port) on the machine on which StackStorm has been installed. That means that you or your Network Administrator will likely have to:

  • Configure your FIREWALL to accept incoming traffic from LogicMonitor. Refer to this document for support.
  • Configure your ROUTER to use NAT (Network Address Translation) so that it knows how to forward packets from the the Internet to your StackStorm Machine. You will likely use PAT (Port Address Translation) to accomplish this step.
  • On your STACKSTORM MACHINE, open port 5000 (or custom port) to accept TCP inputs. On Linux Machines, this can be accomplished by running the iptables -I INPUT -p tcp --dport 5000 -j ACCEPT terminal command.

LogicMonitor REST API Token Privilege & Security Warning

As mentioned, the LogicMonitor Pack comes with a number of Actions (listed further below) that make REST requests to your LogicMonitor Portal using the LogicMonitor Python SDK . Therefore, it requires a valid LogicMonitor API Token .

You can create a LogicMonitor API Token (which is an Access ID and Access Key) in your LogicMonitor portal by going to Settings -> Users & Roles -> API Tokens -> LMv1 -> Add.

Configuration File

As discussed further above, you must enter a valid LogicMonitor API Access ID and Access Key Pair into your /opt/stackstorm/configs/logicmonitor.yaml configuration file.

  • The Access ID is entered into the configuration file's access_idfield.
  • The Access Key is a SECRET that is should be entered into the configuration file's access_key field using StackStorm's dynamic configuration values . The access key should never be exposed or visible in any files or logs.

SECURITY WARNING : LogicMonitor API Token Privileges

LogicMonitor API Tokens have a set of Privileges in your LogicMonitor Portal. For example, if you supply an API Token that is associated with the administrator Role in your LogicMonitor Portal to your LogicMonitor Pack, then your LogicMonitor Pack can do everything in your Portal: reading, creating, updating, and deleting resources in addition to security-sensitive actions. If a nefarious user gains access to your LogicMonitor Pack, and your pack is using an administrator API Token, the nefarious user would have the ability to destroy your entire Portal! This undesired scenario (that resulted from the over-prescription of Privilege) would be disastrous to experience and is why it is STRONGLY RECCOMENDED that you apply the Principle of Least Privilege when supplying your LogicMonitor Pack with a LogicMonitor API Token: You should provide the LogicMonitor Pack with an API Token that has the MINIMUM REQUIRED PRIVILEGE for the LogicMonitor Pack to do it's job. To accomplish this, you can create a custom Role , User and API Token intended to be used by your LogicMonitor Pack by going to Settings->Users & Roles in your LogicMonitor Portal.

Sensor & StackStorm API Key & Payload

The LogicMonitor Pack launches a sensor on port 5000 that authenticates every request with StackStorm using a StackStorm API Key.

The StackStorm API Key must be generated in StackStorm and then copy/pasted into your LogicMonitor StackStorm Integration's "StackStorm Api Key" field.

To create a new StackStorm Integration in your LogicMonitor Portal go to Settings -> Integrations -> Add -> StackStorm.

WARNING: The StackStorm API Key is stored in the "apiKey" object in the payload of the POST Request sent out by your LogicMonitor StackStorm Integration. Therefore, the "apiKey" object must exist in every POST payload you send to StackStorm. Authentication with StackStorm will fail by default if you remove the "apiKey" object from the payload.

You can view and modify the POST Request's payload sent by your LogicMonitor StackStorm Integration at the bottom of the StackStorm Integration dialog.

Create a StackStorm Integration inside your LogicMonitor Portal

As mentioned, you need to create a StackStorm Integration inside your LogicMonitor Portal for this pack to work.

To create a new StackStorm Integration in your LogicMonitor Portal go to Settings -> Integrations -> Add -> StackStorm. Once the StackStorm Integration has been created, it requires:

  • A URL to port 5000 (or custom port) of the machine where you installed StackStorm.
  • A valid StackStorm API Key for authentication.

Once the StackStorm Integration has been saved, setup an Escalation Chain and an Alert Rule so that alerts can be sent to your StackStorm environment.

Sensor -> Trigger -> Rule -> Action

Once an alert payload has been successfully authenticated with StackStorm, the sensor will inject the logicmonitor.alert_trigger trigger with the alert payload into StackStorm. The purpose of injecting the trigger with the concomitant payload is to fire a custom Action if the conditions in a Rule are satisfied. In that regard, the LogicMonitor Pack has provided a number of Rules (disabled by default) that fire an Action based on the type of alert being sent:

RULES

  • alert_throttling_alert_rule.yaml - Maps Alert Throttling Alerts (LMT) to an action
  • collector_failover_alert_rule.yaml - Maps Collector Failover Alerts (LMF) to an action
  • collector_failover_unreachable_alert_rule.yaml - Maps Collector Failover Unreachable Alerts ( LMF) to an action
  • collector_unreachable_alert_rule.yaml - Maps Collector Unreachable Alerts (LMA) to an action
  • configsource_alert_rule.yaml - Maps ConfigSource Alerts (LMD) to an action
  • datasource_alert_rule.yaml - Maps DataSource Alerts (LMD) to an action
  • devicegroup_alert_rule.yaml - Maps DeviceGroups Alerts (LMHC) to an action
  • eventsource_alert_rule.yaml - Maps EventSource Alerts (LME) to an action
  • jobmonitor_alert_rule.yaml - Maps JobMonitor Alerts (LMB) to an action
  • lmlogs_alert_rule.yaml - Maps LM Log Alerts (LML) to an action
  • service_alert_rule.yaml - Maps Service Alerts (LMS) to an action

NOTE: All of these Rules are disabled by default. Enable them inside the Rule's .yaml file if you wish to use them.

NOTE: All of these Rules fire the get_alert_list dummy action by default. Be sure to modify the Action that gets fired when a Rule's criteria is satisfied by changing the Action reference inside that Rule's .yaml file.

Available Actions

The LogicMonitor Pack also comes with a large (but not exhaustive) number of Actions that make their corresponding REST Requests to your LogicMonitor Portal. On a high level, the list of actions the currently exist in the pack are:

  • Acknowledge Alert By ID
  • Get Alert By ID
  • Get Alert List
  • ( Add, Delete, Get, Patch ) x Admin
  • ( Add, Delete, Get, Patch ) x Alert Rule
  • ( Add, Delete, Get, Patch ) x Collector
  • ( Add, Delete, Get, Patch ) x Device
  • ( Add, Delete, Get, Patch ) x Device Group
  • ( Add, Delete, Get, Patch ) x Escalation Chain
  • ( Add, Delete, Get, Patch ) x Ops Note
  • ( Add, Delete, Get, Patch ) x SDT

More specifically, the LogicMonitor Pack has provided these Actions:

GENERAL
  • ack_alert_by_id
  • ack_collector_down_alert_by_id
ADD
  • add_admin
  • add_alert_rule
  • add_collector
  • add_device
  • add_device_group
  • add_escalation_chain
  • add_ops_note
  • add_sdt
DELETE
  • delete_admin_by_id
  • delete_alert_rule_by_id
  • delete_collector_by_id
  • delete_device_by_id
  • delete_device_group_by_id
  • delete_escalation_chain_by_id
  • delete_ops_note_by_id
  • delete_sdt_by_id
GET
  • get_admin_by_id
  • get_admin_list
  • get_alert_by_id
  • get_alert_list
  • get_alert_rule_by_id
  • get_alert_rule_list
  • get_collector_by_id
  • get_collector_list
  • get_device_by_id
  • get_device_group_by_id
  • get_device_group_list
  • get_device_list
  • get_escalation_chain_by_id
  • get_escalation_chain_list
  • get_ops_note_by_id
  • get_ops_note_list
  • get_sdt_by_id
  • get_sdt_list
PATCH
  • patch_admin_by_id
  • patch_alert_rule_by_id
  • patch_collector_by_id
  • patch_device
  • patch_device_group_by_id
  • patch_escalation_chain_by_id
  • patch_ops_note_by_id
  • patch_sdt_by_id

NOTE: All of these Actions correspond to REST functions that exist in the LogicMonitor Python SDK of the same name. For example, the patch_escalation_chain_by_id Action will fire the patchEscalationChainById function in the LM Python SDK.

NOTE: All of these Actions call the same /opt/stackstorm/packs/logicmonitor/actions/run.py method but with different parameters.

NOTE: We did not include every action that exists in the LogicMonitor Python SDK.

If you need to use an action/function from the LM Python SDK but it hasn't been included in the pack, copy/paste an existing action and modify it to call the corresponding function from the LM Python SDK. Be sure to refer to the documentation to see the list of parameters needed for the specific function you intend on using.

The Serialized LogicMonitor API Response

LogicMonitor returns an API Response when you use the LogicMonitor Python SDK to interact with your Portal. The API Response returned from LogicMonitor has been serialized so that it can be accessed by subsequent actions in an Orquesta Workflow. An example Orquesta workflow that restarts a downed collector has been provided to illustrate this functionality:

Example Workflow: Orquesta (Restart Collector Down)

  • logicmonitor/rules/example_orquesta_restart_collector_down_rule.yaml
  • logicmonitor/actions/example_orquesta_restart_collector_down.yaml
  • logicmonitor/actions/workflows/example_orquesta_restart_collector_down_workflow.yaml

Thank you for downloading the LogicMonitor Pack!