Skip to content

Event Lane

Integrations are declared in event lanes. Each event lane can provide one or more integrations. Events are always sent from Kafka events topic that must be present in the event lane declaration.

/EventLanes/mytenant/fortinet-fortigate-10040.yaml
---
define:
  type: lmio/event-lane
  name: Fortinet FortiGate (10040)

kafka:
  events:
    topic: events.mytenant.fortinet-fortigate-10040  # (required)
  others:
    topic: others.mytenant

integrations:

  arcsight:
    output_type: tcp
    address: "127.0.0.1 8884"
    # other configuration for arcsight integration

  bsd_syslog:
    output_type: tcp
    address: "127.0.0.1 7999"
    # other configuration for bsd syslog integration

output_type:

  • tcp: Sends messages through TCP protocol. Requires address.
  • kafka: Sends messages to the dedicated Kafka topic from which it can be consumed by another service.

address: Address in the form: "destination port", e.g. 127.0.0.1 8888

Integrations

Micro Focus ArcSight SOAR

Integration with Micro Focus ArcSight SOAR sends parsed events from events topic in ArcSight Common CEF format.

Configuration:

arcsight:
  output_type: tcp
  address: "127.0.0.1 8884"

Schema:

---
define:
  type: lmio/schema

  deviceEventClassId_field: deviceEventClassId
  name_field: name
  severity_field: severity

Example output

CEF:0|TeskaLabs|LogMan.io|1.0|<deviceEventClassId_field>|<name_field>|<severity_field>| {
"@timestamp": "2024-09-30T02:30:13.343068Z",
"ecs.version": "1.10.0",
"event.action": "high-download-rate",
"event.dataset": "complex",
"event.kind": "alert",
"related.events": [],
"rule.description": "This baseliner observes logs that indicate file download activity and checks if a user exceeds the expected rate of downloads.  It tracks download activity across a defined period (day) and region (Czech Republic), analyzing patterns based on workdays,  weekends, and holidays. When the user's download rate exceeds normal behavior by a significant margin (3 standard deviations above the mean), it triggers an alert for further investigation.\n",
"rule.id": "",
"rule.name": "High Download Rate",
"rule.ruleset": "lmio-library",
"tenant": "plus",
"threat.indicator.sightings": 22,
"user.id": "dolores_umbridge@hogwarts.uk",
"_id": "9c15c30d30b3b813df94393288310d17ff06364f6e9cb5bb8d374ec1ca6dd6a0"
}

BSD Syslog

Integration that produces events in BSD Syslog Format.

Configuration:

bsd_syslog:
  output_type: tcp
  address: "127.0.0.1"

Schema:

---
define:
  type: lmio/schema

  raw: event.original
  principal_datetime: '@timestamp'

Example output

<14> Oct 01 12:43:25 lmio LogMan.io[1]: <30>Oct 01 12:43:13 bradavice-hagrid ntopng[1007416]: ....

Field

Field integration produces events with a specific field.

field:
  output_type: tcp
  address: "127.0.0.1"
  field_name: "event.original"

Example output

{
    "event.original": <30>Oct 01 12:43:13 bradavice-hagrid ntopng[1007416]: ....
}