Creating an event router
An event router is a service that allows you to receive streams of events from collectors and correlators and then distribute the events to specified destinations in accordance with the configured filters.
To have events from the collector sent to the event router, you must create an 'eventRouter' destination resource with the address of the event router and link the resource to the collectors that you want to send events to the event router.
The event router receives events on the API port, just like 'storage' and 'correlator' destinations.
You can create a router in the Resources section.
Using an event router lets you reduce the utilization of links, which is important for low-bandwidth and busy links.
Possible use cases:
Collector — Router in the data center
The collector sends events to an event router in the data center, and the event router sends the events to the specified destinations: correlator and storage.
Preconditions:
- KUMA 3.2 collectors are configured at the branch offices.
- The data center has the capacity to install an event router.
- KUMA 3.2 is installed in the data center.
Steps:
- In the data center:
- Create the Event router service.
- Create storage and correlator destination points and specify them in the Event router.
- In the Event router on the Advanced settings tab, configure a filter to send events to storage and/or correlator. For example, "DeviceCustomString = correlator" or "DeviceCustomString = storage".
- Configure enrichment.
- In the collectors at branch offices:
- Create a destination of the eventRouter type.
- Specify the URL of the event router in the data center of the branch office.
- If eventRouter replaces previously configured destinations, you can delete them.
Postcondition:
- Collectors at the branch offices are configured.
- The event router in the data center is configured.
Connections of branch offices to the data center have been optimized: for each collector, you no longer need to configure events to be sent both to storage and to the correlator in the data center. This halves the load on the link.
Routing to the storage and the correlator is performed within the data center.
Cascade connection: Multiple collectors — Router at the branch office; Router at the branch office — Router in the data center
Multiple collectors send events to the event router at the branch office, and the event router at the branch office sends events to the router in the data center, where events are then sent to the specified destinations, that is, correlators and storage.
Preconditions:
- KUMA 3.2 collectors are configured at the branch offices.
- The data center has the capacity to install an event router.
- KUMA 3.2 is installed in the data center.
Steps:
- In the data center:
- Create the Event router service.
- Create storage and correlator destination points and specify them in the Event router.
- In the Event router on the Advanced settings tab, configure a filter to send events to storage and/or correlator. For example, "DeviceCustomString = correlator" or "DeviceCustomString = storage".
- At the branch office:
- Create the Event router service.
- Create a destination of the eventRouter type and specify the URL of the Event router in the data center.
- In the collectors at branch offices:
- Create a destination of the eventRouter type and specify the URL of the Event router at the branch office.
- If eventRouter replaces previously configured destinations, you can delete them.
Postcondition:
- Collectors at the branch offices are configured.
- The event router in the data center and the event router at the branch office are configured.
The connections of branch offices with the data center are optimized: in each collector, you no longer need to configure events to be sent to the data center; it is enough to collect all events on the router and send it to the data center as one stream.
The event router must be installed on a Linux device. Only a user with the General Administrator role can create the service. You can create a service in any tenant; the tenant relation does not impose any restrictions.
You can use the following metrics to get information about the service performance:
As with other resources, the following audit events are generated for the event router in KUMA:
- Resource was successfully added
- Resource was successfully updated
- Resource was successfully deleted
Installing an event router involves two steps:
Page top