LogMan.io Assets¶
TeskaLabs LogMan.io Assets (lmio-assets) is a microservice that maintains the asset inventory per tenant: hosts, users, and services identified by principal fields from the tenant schema. It exposes the inventory over HTTP (default tcp/8965) and keeps documents in MongoDB.
The service consumes two Kafka streams per tenant:
| Stream | Source | Effect on assets |
|---|---|---|
| Activity | Parsec activity topic (events.<tenant>.activity by default) |
Updates first_seen / last_seen, optional tags from activity payloads |
| Complex | Correlator output on the tenant complex event lane (events.<tenant>.complex by default) |
Updates entity risk score with a time decayed model (see Entity risk score) |
Activity and complex processing share the same consumer group (lmio_assets by default). Topic names and schema field mappings are rebuilt when the Library changes under /EventLanes/ or /Schemas/.
Asset document¶
Each asset row uses Mongo _id {tenant}:{kind}:{value} where kind is host, user, or service.
| Field | Meaning |
|---|---|
tenant, kind, value |
Identity (mirrors _id parts) |
first_seen, last_seen |
Unix ms from the schema principal datetime field on activity events |
risk_score |
Integer entity risk score (decayed at read time; see Entity risk score) |
alert_after |
Optional stale alert threshold in seconds (HTTP API) |
User defined labels live in a separate tags collection (asset_tags by default) with the same _id as the asset.
Related documentation¶
- Configuration: model, ASAB
[assets]settings, dependencies - Entity risk score: decay model, complex lane input, webui chart vs stored field
- Parsec asset management: how activity events are produced
- Risk scoring in Correlator: per detection
event.risk_scoreon complex events - Kafka topics:
events.<tenant>.activity - Network ports:
lmio-assetson tcp/8965