Unomaly Output Plugin for Graylog
This plugin is intended for streaming logs to the Unomaly REST API, so that you can algorithmically detect anomalies
across your entire infrastructure.
Required Graylog version: 2.4.0 and later
Required Unomaly version: 2.27 and later
Installation
Download the plugin
and place the .jar file in your Graylog plugin directory. The plugin directory
is the plugins/ folder relative from your graylog-server directory by default
and can be configured in your graylog.conf file.
Restart graylog-server and you are done.
Configuration of Graylog
The Unomaly plugin will be available in Graylog like any other output plugin. It can
for example be attached to one or more streams or processing pipelines.
The latter is the way to go if you need to perform record transformation, like
changing the source of a log event.
Development
You can improve your development experience for the web interface part of your plugin
dramatically by making use of hot reloading. To do this, do the following:
git clone https://github.com/Graylog2/graylog2-server.gitcd graylog2-server/graylog2-web-interfaceln -s $YOURPLUGIN plugin/npm install && npm start
Usage
Changing the source / key in Unomaly
By default, this plugin will use the source field in the Graylog events as
the source for events sent to Unomaly. This might not always be ideal if you
are using a microservice based architecture, most likely, you'd want to find
anomalies per microservice, rather than per container. You can change this
behavior by adding a pipeline with rule(s) in Graylog. Example follows
below where we mutate the event to have the service_name field as the
specified source which Unomaly will see instead.
rule "transform_unomaly"
when
has_field("service_name")
then
let new_src = to_string($message.service_name);
set_field("source", new_src);
end
Getting started
This project is using Maven 3 and requires Java 7 or higher.
- Clone this repository.
- Run
mvn package to build a JAR file.
- Optional: Run
mvn jdeb:jdeb and mvn rpm:rpm to create a DEB and RPM package respectively.
- Copy generated JAR file in target directory to your Graylog plugin directory.
- Restart the Graylog.
Plugin Release
We are using the maven release plugin:
$ mvn release:prepare
[...]
$ mvn release:perform
This sets the version numbers, creates a tag and pushes to GitHub. Travis CI will build the release artifacts and upload to GitHub automatically.
Contributing
Bug reports and pull requests are welcome on GitHub at
https://github.com/unomaly/graylog-plugin-unomaly. This project is intended to
be a safe, welcoming space for collaboration.
andskli
free!