In KUMA, you can monitor the state of the sources of data received by collectors. There can be multiple sources of events on one server, and data from multiple sources can be received by one collector. KUMA creates event sources based on the following fields of events (the data in these fields is case sensitive):
DeviceProduct is a required field.
One of the DeviceHostname or DeviceAddress fields must be present.
DeviceProcessName is an optional field.
Tenant is a required field, which is determined automatically from the tenant of the event that was used to identify the source.
Limitations
KUMA registers an event source, provided that the DeviceAddress and DeviceProduct fields are contained in a raw event.
If the raw event does not contain the DeviceAddress and DeviceProduct fields, you can do the following:
Configure enrichment in the normalizer: select the Event data type on the Enrichment tab of the normalizer, specify the Source field setting, select DeviceAddress and DeviceProduct as the Target field, and click OK.
Use an enrichment rule: select the Event data source type, specify the Source field setting, select DeviceAddress and DeviceProduct as the Target field, and click Create. The created enrichment rule must be linked to the collector at the Event enrichment step.
KUMA will perform enrichment and register the event source.
If KUMA receives events with identical values of the DeviceProduct + DeviceHostname + DeviceAddress required fields, KUMA registers different sources if the following conditions are satisfied:
The values of the required fields are identical, but different tenants are determined for the events.
The values of the required fields are identical, but one of the events has an optional DeviceProcessName field specified.
The values of the required fields are identical, but the data in these fields have different character case.
If you want KUMA to log such events under the same source, you can further configure the fields in the normalizer.
Lists of sources are generated in collectors, merged in the KUMA Core, and displayed in the program web interface under Source status on the List of event sources tab. Data is updated every minute.
The rate and number of incoming events serve as an important indicator of the state of the observed system. You can configure monitoring policies such that changes are tracked automatically and notifications are automatically created when indicators reach specific boundary values. Monitoring policies are displayed in the KUMA web interface under Source status on the Monitoring policies tab.
When monitoring policies are triggered, monitoring events are created and include data about the source of events.