Skip to content

Event Lane

Integrations are declared in event lanes. Each event lane can provide one or more integrations. Events are forwarder from Kafka events topic, present in the event lane declaration.

/EventLanes/mytenant/my-event-lane.yaml
---
define:
  type: lmio/event-lane
  name: Fortinet FortiGate (10040)

...

integrations:

  # Forward events using TCP syslog protocol
  bsd_syslog:
    output_type: tcp
    address: 1.2.3.4 514
    # filters:  # see below
    # rate_limiter:  # see below

  # Forward events in CEF format
  cef:
    output_type: tcp
    address: 1.2.3.4 1234
    # filters:  # see below
    # rate_limiter:  # see below

Supported integrations:

  • bsd_syslog: Forwards the original event or JSON using BSD Syslog
  • cef: Forwards the event using CEF format suitable ie for Micro Focus ArcSight
  • raw: Forwards the original event without any header or formatting

output_type:

  • tcp: Sends messages through TCP protocol. Requires address (host port).
  • kafka: Sends messages to the dedicated Kafka topic from which it can be consumed by another service.
  • unix-stream: Sends messages through UNIX stream socket.

address: Address in the form: "destination port", e.g. 1.2.3.4 1234

Rate limiter

When the tcp output type is used, the rate limiter option named rate_limiter can be used for the given integration in the following way to limit the number of EPS (events per second):

  bsd_syslog:
    output_type: tcp
    address: 127.0.0.1 7999
    rate_limiter: 20000  # EPS

The rate limiter thus sets maximum of 20 000 EPS for the given integration, so the output technology that will consume the data can avoid performance issues.

Raw forwarding

Configuration:

raw:
  output_type: tcp
  address: 1.2.3.4 2345
  • delimiter: Optional argument that specifies what delimiter to append to each forwarded event, it is a character or CR, LF or CRLF.

This integration is using raw field from the schema.

Tip

Use this integration if you want to simply forward incoming messages in their original form to other applications.

BSD Syslog

Integration that produces events in BSD Syslog Format (RFC 3164).

Configuration:

bsd_syslog:
  output_type: tcp
  address: 1.2.3.4 514
  • delimiter: Optional argument that specifies what delimiter to append to each forwarded event, it is a character or CR, LF or CRLF.

This integration is using raw and principal_datetime fields from the schema.

Example output

<14> Oct 01 12:43:25 instance-1 lmio-integ[1]: <30>Oct 01 12:43:13 bradavice-hagrid ntopng[1007416]: ....

Note the BSD syslog header added by TeskaLabs LogMan.io.

Field forwarding

Field forwarding integration produces events with a specific field, typically event.original, in a simple JSON.

field:
  output_type: tcp
  address: 1.2.3.4
  field_name: event.original

Example output

{
    "event.original": <30>Oct 01 12:43:13 bradavice-hagrid ntopng[1007416]: ....
}

CEF

CEF Integration (ie with Micro Focus ArcSight) sends parsed events from events topic in ArcSight Common CEF format.

Configuration:

cef:
  output_type: tcp
  address: 1.2.3.4 1234

Assuming that Micro Focus ArcSight listens on TCP 1.2.3.4:1234.

This integration is using deviceEventClassId_field, name_field and severity_field fields from the schema:

---
define:
  type: lmio/schema

  deviceEventClassId_field: deviceEventClassId
  name_field: name
  severity_field: severity

...

Example output

CEF:0|TeskaLabs|LogMan.io|1.0|<deviceEventClassId_field>|<name_field>|<severity_field>| {
"@timestamp": "2024-09-30T02:30:13.343068Z",
"ecs.version": "1.10.0",
"event.action": "high-download-rate",
"event.dataset": "complex",
"event.kind": "alert",
"related.events": [],
"rule.description": "This baseliner observes logs that indicate file download activity and checks if a user exceeds the expected rate of downloads.  It tracks download activity across a defined period (day) and region (Czech Republic), analyzing patterns based on workdays,  weekends, and holidays. When the user's download rate exceeds normal behavior by a significant margin (3 standard deviations above the mean), it triggers an alert for further investigation.\n",
"rule.id": "",
"rule.name": "High Download Rate",
"rule.ruleset": "lmio-library",
"tenant": "plus",
"threat.indicator.sightings": 22,
"user.id": "dolores_umbridge@hogwarts.uk",
"_id": "9c15c30d30b3b813df94393288310d17ff06364f6e9cb5bb8d374ec1ca6dd6a0"
}

Filters

For setting filters for incoming events, see Filters section.