Unomaly Output Plugin for Graylog

Unomaly

@andskli

Plugin 1.0.3

Graylog output plugin for Unomaly https://unomaly.com

Unomaly Output Plugin for Graylog

Build Status

This plugin is intended for streaming logs to the Unomaly REST API, so that you can algorithmically detect anomalies across your entire infrastructure.

Required Graylog version: 2.4.0 and later Required Unomaly version: 2.27 and later

Installation

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Configuration of Graylog

The Unomaly plugin will be available in Graylog like any other output plugin. It can for example be attached to one or more streams or processing pipelines. The latter is the way to go if you need to perform record transformation, like changing the source of a log event.

Development

You can improve your development experience for the web interface part of your plugin dramatically by making use of hot reloading. To do this, do the following:

  • git clone https://github.com/Graylog2/graylog2-server.git
  • cd graylog2-server/graylog2-web-interface
  • ln -s $YOURPLUGIN plugin/
  • npm install && npm start

Usage

Changing the source / key in Unomaly

By default, this plugin will use the source field in the Graylog events as the source for events sent to Unomaly. This might not always be ideal if you are using a microservice based architecture, most likely, you’d want to find anomalies per microservice, rather than per container. You can change this behavior by adding a pipeline with rule(s) in Graylog. Example follows below where we mutate the event to have the service_name field as the specified source which Unomaly will see instead.

rule "transform_unomaly"
when
  has_field("service_name")
then
  let new_src = to_string($message.service_name);
  set_field("source", new_src);
end

Getting started

This project is using Maven 3 and requires Java 7 or higher.

  • Clone this repository.
  • Run mvn package to build a JAR file.
  • Optional: Run mvn jdeb:jdeb and mvn rpm:rpm to create a DEB and RPM package respectively.
  • Copy generated JAR file in target directory to your Graylog plugin directory.
  • Restart the Graylog.

Plugin Release

We are using the maven release plugin:

$ mvn release:prepare […] $ mvn release:perform

This sets the version numbers, creates a tag and pushes to GitHub. Travis CI will build the release artifacts and upload to GitHub automatically.

Contributing

Bug reports and pull requests are welcome on GitHub at GitHub - unomaly/graylog-plugin-unomaly: Graylog output plugin for Unomaly https://unomaly.com. This project is intended to be a safe, welcoming space for collaboration.