LogMan.io Assets configuration¶
LogMan.io Assets requires the following dependencies:
- Apache ZooKeeper
- Apache Kafka
- MongoDB
- SeaCat Auth
- LogMan.io Library with
/EventLanes/(activity and complex lanes) and tenant schemas in/Schemas/ - LogMan.io Watcher (optional, for per asset risk score weight lookups)
Model¶
Include the service in the site model and click Apply:
/Site/model.yaml
define:
type: rc/model
services:
lmio-assets:
instances:
<tenant>-1:
node: <node>
asab:
config:
tenant:
name: <tenant>
Example¶
Minimal ASAB configuration:
[zookeeper]
servers=zookeeper-1:2181,zookeeper-2:2181,zookeeper-3:2181
[library]
providers=zk:///library
[kafka]
bootstrap_servers=kafka-1:9092,kafka-2:9092,kafka-3:9092
[asab:storage]
type=mongodb
mongodb_uri=mongodb://mongodb1,mongodb2,mongodb3/?replicaSet=rs0
mongodb_database=assets
[auth]
multitenancy=yes
public_keys_url=http://seacat-auth.service_id.asab/.well-known/jwks.json
[pipeline:ActivityAssetsPipeline:KafkaSource]
group.id=lmio_assets
[pipeline:ComplexAssetsPipeline:KafkaSource]
group.id=lmio_assets
Topics are not hardcoded in INI: on Library ready, the service discovers each tenant activity.yaml and complex.yaml and subscribes to their Kafka event topics.
[assets] section¶
| Key | Default | Description |
|---|---|---|
mongo_collection |
assets |
Mongo collection for asset rows |
mongo_tags_collection |
asset_tags |
Tag sidecar collection |
activity_mongo_batch_max |
100 |
Activity updates before bulk_write |
activity_mongo_batch_max_age |
60 |
Max seconds before partial activity flush (0 = size only) |
complex_mongo_batch_max |
100 |
Risk score samples before Mongo flush |
complex_mongo_batch_max_age |
60 |
Max seconds before partial risk flush |
default_alert_after_sec |
7200 (2h) |
alert_after on first activity insert (0 = disabled) |
risk_score_decay_half_life |
24h |
Entity risk half life (see Entity risk score) |
risk_score_decay_clear_below |
0.5 |
Clear decayed scores below this |
merge_suppress_lru_max |
50000 |
LRU for merged away asset ids |
deleted_activity_suppress_ttl |
600 |
Ignore Kafka upserts after HTTP delete (0 = off) |
stale_alert_cooldown_sec |
900 |
Min seconds between repeat stale asset signals |
HTTP API¶
The service listens on tcp/8965 by default. Asset list responses include decayed risk_score, first_seen, last_seen, and computed active. Sort by entity risk with query parameter srisk_score.
Optional per asset risk score weight overrides are managed via GET / PUT / DELETE /{tenant}/asset/{_id}/risk-score-weight (proxied to Watcher *id2riskscore lookups). See Entity risk score.