LM Cloud

4. Setting up LM Cloud's custom event integrations

LM Cloud offers custom event integrations that enable you to see AWS and Azure specific events in LogicMonitor, and correlate events (such as EC2 instance state change notifications, CloudTrail logs or Azure Activity logs) with performance data.

The setup and details of these integration largely varies for AWS / Azure, so please see the sections below for additional information.

 

Visualizing AWS CloudWatch Events in LogicMonitor:

LogicMonitor's AWS event integration enables you to see CloudWatch Events alongside performance data graphs in LogicMonitor. You may find this useful for correlating monitoring trends and events that occurred in your AWS account.

 

Setting up the integration

The event integration is based on an AWS Lambda function. Specifically, you'll need to add the Lambda function and set up a CloudWatch Events rule that triggers the function based on desired events. The Lambda function, when triggered, will use LogicMonitor's REST API to add the events as Ops Notes for the specific devices to which they relate. Once the Ops Notes have been created for monitored resources that have associated events, you'll see them on all device and dashboard graphs for those resources. You can further filter the events that show up using the Ops Notes panel.

Assuming you already have monitored AWS resources in LogicMonitor, you'll need to perform the following steps to setup the integration. Because both AWS Lambda functions and CloudWatch Events are region specific, the following steps will need to be implemented per region you want to receive events for. 

  1. Create a set of API tokens in your LogicMonitor account that the integration will use.  Note that the user these API tokens belong to must have permission to manage all devices in order to create OpsNotes.  As a best practice, we recommend creating a designated API user for the integration. 
  2. Create a new Lambda function from the Serverless Application Repository and select 'logicmonitor-send-cloudwatch-events': 


  3. Add a name for your function and deploy it:


  4. Add CloudWatch Events as a trigger for the function, and then Create or select a CloudWatch Event Rule that matches the events you'd like to show up in your LogicMonitor account.  It's easiest to create a rule based on an event pattern.  Enabling the trigger will result in the Lambda function being triggered immediately upon creation for the matching events. 


  5. Add ACCOUNT_NAME, API_ACCESS_ID, and API_ACCESS_KEY values as environment variables. The ACCOUNT_NAME should match your LogicMonitor account name, where account name is the name preceding ".logicmonitor.com" in your account URL. The API_ACCESS_KEY should match the access key for your API tokens created in step 1, and the API_ACCESS_ID should match the access id for your API token pair created in step 1. API_ACCESS_ID AND API_ACCESS_KEY should be encrypted environment variables, so you’ll need to enable encryption helpers & select a KMS key. The role auto-created for the function must have permission to decrypt the variables at runtime with the selected key.


After these steps are complete, all CloudWatch Events that match your rule configured in step 4 should be added as LogicMonitor Ops Notes for the specific monitored resources to which they relate.

Visualizing Azure Activity Logs in LogicMonitor:

You can use an Azure function to send Azure Activity Logs. You may find this useful for correlating monitoring trends and events that occurred in your Azure account.

Setup Instructions:

The event integration is based on an Azure Function. Specifically, you'll need to add the Function and set up an Azure Activity Log alert rule that triggers the Function based on desired activity log events. The Function, when triggered, will use LogicMonitor's REST API to add the events as Ops Notes for the specific devices to which they relate. Once the Ops Notes have been created for monitored resources that have associated events, you'll see them on all device and dashboard graphs for those resources. You can further filter the events that show up using the Ops Notes panel.

Assuming you already have monitored Azure resources in LogicMonitor, you'll need to perform the following steps to setup the integration:

  1. Create a set of API tokens in your LogicMonitor account that the Function will use.  Note that the user these API tokens belong to must have permission to manage all devices in order to create OpsNotes.  As a best practice, we recommend creating a designated API user for the integration. 
  2. Add a new Azure Function App. Note that Functions can be viewed / created from within the App Services section. Once created, you'll need to add an HTTPTrigger Powershell Function within the App.
  3. Add the following script to the HTTP Trigger PowerShell Functions:
    # POST method: $req
    $requestBody = Get-Content $req -Raw | ConvertFrom-Json
    
    $caller = $requestBody.data.context.activityLog.caller
    $source = $requestBody.data.context.activityLog.eventSource
    $time = $requestBody.data.context.activityLog.eventTimestamp
    $operation = $requestBody.data.context.activityLog.operationName
    $resourceId = $requestBody.data.context.activityLog.resourceId 
    $resourceGroup = $requestBody.data.context.activityLog.resourceGroupName
    
    Write-Output $resourceId | Out-String
    
    <# account info #>
    $accessId = 'API_ID'
    $accessKey = 'API_KEY'
    $company = 'LM_ACCOUNT'
    
    $encoded = [uri]::EscapeDataString($resourceId)
    
    <# Get Devices request details #>
    $httpVerb = 'GET'
    $resourcePath = '/device/devices'
    $queryParams = '?filter=systemProperties.name:system.azure.resourceid,systemProperties.value:' + $encoded
    
    Write-Output $queryParams | Out-String
    
    <# Construct URL #>
    $url = 'https://' + $company + '.logicmonitor.com/santaba/rest' + $resourcePath + $queryParams
    
    <# Get current time in milliseconds #>
    $epoch = [Math]::Round((New-TimeSpan -start (Get-Date -Date "1/1/1970") -end (Get-Date).ToUniversalTime()).TotalMilliseconds)
    
    <# Concatenate Request Details #>
    $requestVars = $httpVerb + $epoch + $resourcePath
    
    <# Construct Signature #>
    $hmac = New-Object System.Security.Cryptography.HMACSHA256
    $hmac.Key = [Text.Encoding]::UTF8.GetBytes($accessKey)
    $signatureBytes = $hmac.ComputeHash([Text.Encoding]::UTF8.GetBytes($requestVars))
    $signatureHex = [System.BitConverter]::ToString($signatureBytes) -replace '-'
    $signature = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($signatureHex.ToLower()))
    
    <# Construct Headers #>
    $auth = 'LMv1 ' + $accessId + ':' + $signature + ':' + $epoch
    $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
    $headers.Add("Authorization",$auth)
    $headers.Add("Content-Type",'application/json')
    
    <# Make Request #>
    $response = Invoke-RestMethod -Uri $url -Method $httpVerb -Header $headers 
    
    <# Print status and body of response #>
    $status = $response.status
    $body = $response.data
    
    Write-Output "Status:$status"
    
    $deviceId = $body.items.id
    
    Write-Output $deviceId | Out-String
    
    If ($deviceId -ne $Null) {
    
    #####################################
    
    <# Add Ops Note request details #>
    $httpVerb = 'POST'
    $resourcePath = '/setting/opsnotes'
    $data = '{"note":"caller:' + $caller + ', source:' + $source + ', operation:' + $operation + '","tags":[{"name":"Azure Activity Log"}],"scopes":[{"type":"device","deviceId":"' + $deviceId + '"}]}'
    
    <# Construct URL #>
    $url = 'https://' + $company + '.logicmonitor.com/santaba/rest' + $resourcePath
    
    <# Get current time in milliseconds #>
    $epoch = [Math]::Round((New-TimeSpan -start (Get-Date -Date "1/1/1970") -end (Get-Date).ToUniversalTime()).TotalMilliseconds)
    
    <# Concatenate Request Details #>
    $requestVars = $httpVerb + $epoch + $data + $resourcePath
    
    <# Construct Signature #>
    $hmac = New-Object System.Security.Cryptography.HMACSHA256
    $hmac.Key = [Text.Encoding]::UTF8.GetBytes($accessKey)
    $signatureBytes = $hmac.ComputeHash([Text.Encoding]::UTF8.GetBytes($requestVars))
    $signatureHex = [System.BitConverter]::ToString($signatureBytes) -replace '-'
    $signature = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($signatureHex.ToLower()))
    
    <# Construct Headers #>
    $auth = 'LMv1 ' + $accessId + ':' + $signature + ':' + $epoch
    $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
    $headers.Add("Authorization",$auth)
    $headers.Add("Content-Type",'application/json')
    
    <# Make Request #>
    $response = Invoke-RestMethod -Uri $url -Method $httpVerb -Body $data -Header $headers 
    
    <# Print status and body of response #>
    $status = $response.status
    $body = $response.data | ConvertTo-Json -Depth 5
    
    Write-Output "Status:$status"
    Write-Output "Response:$body"
    }
  4. Get the function URL (upper right of function text) - you'll need to add this to your Azure Activity Log alert rule
  5. Within the Monitor service, select the Alerts section and configure an activity log alert that matches the events you want to see in LogicMonitor. You'll need to add a new Action of type Webhook, and add the Function URL as the description, like this:

After these steps are complete, all Azure Activity Logs that match your rule configured in step 5 should be added as LogicMonitor Ops Notes for the specific monitored resources to which they relate.