Overview

Unomaly is a monitoring appliance used for log analysis and anomaly detection. This Unomaly integration for LogicMonitor displays log anomalies and knowns collected by Unomaly and monitors the frequencies of events over time.

Background

Unomaly works by learning the patterns of events produced by the systems and applications that make up IT infrastructures and identifying new events that don’t match previously established patterns.

As part of its event learning process, Unomaly tracks metrics (such as the counts of similar events and the frequency of their occurrence over time) and categorizes new events based on changes in structure, parameter values, and frequency. Users may also convert events into knowns to add contextual descriptions and classify their severity.

Read more about How Unomaly detects anomalies.

Compatibility

This Unomaly integration for LogicMonitor is compatible with:

  • Unomaly version 3.6.5 or newer

LogicMonitor will test and extend coverage for newer versions of Unomaly.

Setup Requirements

The LogicModules in this integration collect data from the Unomaly appliance(s) that is configured to:

  • Receive and process logs from the systems you want to monitor.
  • Enable communication with the Unomaly REST API endpoint.

Enable Unomaly API Access

The LogicModules require access to the REST API endpoint on the Unomaly appliance. See the Unomaly REST API Reference.

                               
ProtocolPort Description
HTTPS443 Used to communicate with and access the Unomaly REST API.

Basic authentication is used to communicate with and access the Unomaly REST API. LogicMonitor needs to provide credentials for a Basic (API user) account that is enabled on the Unomaly appliance. See Configure basic authentication for API access.

                               
AuthenticationRole Description
Basic (API user)Administrator This user has full Administrator capabilities on Unomaly. There may be multiple Basic accounts, but only one can be enabled at a time.

Edit LogicMonitor Device Properties

For LogicMonitor to communicate with the Unomaly REST API, set the following properties on the monitored resource (or group) within your LogicMonitor portal. See Resource and instance properties.

                                                                   
PropertyValue Required?
unomaly.usernameUnomaly Basic (API user) username Required
unomaly.passwordUnomaly Basic (API user) password Required
unomaly.hostHostname or IP address to Unomaly appliance Required
unomaly.systemidList of possible device ID to use to match the LogicMonitor device to a Unomaly system ID Optional

LogicModules in Package

The LogicModules package for this Unomaly integration are listed in the following table and described in more detail below. Import each LogicModule from the LogicMonitor Repository.

                                                                        
Display NameType Description
Unomaly_DeviceInfoPropertySource Identifies if a device is being monitored in Unomaly and sets the auto.unomaly.systemid property on devices.
Unomaly_Anomalies_MetricsDataSource Monitors anomalies metrics from Unomaly.
Unomaly Known EventsEventSource Relays detected known events from Unomaly.
Unomaly Frequency SpikesEventSource Relays detected frequency spikes from Unomaly.
Unomaly New AnomaliesEventSource Relays detected new anomalies found by Unomaly.

Unomaly DeviceInfo

The Unomaly integration with LogicMonitor relies on the mapping between LogicMonitor devices and Unomaly systems to be correct. Metrics will only be collected for Unomaly systems that correspond to existing LogicMonitor devices. This mapping is accomplished with the Unomaly_DeviceInfo PropertySource.

Unomaly_DeviceInfo reconciles a Unomaly system ID with a LogicMonitor device by matching the hostname, IP address, or device name. If the LogicMonitor device matches a Unomaly system, it sets a auto.unomaly.systemid property on the LogicMonitor device.

It’s expected that a LogicMonitor device may relate to multiple Unomaly systems.

Unomaly Anomalies Metrics

The Unomaly_Anomalies_Metrics DataSource monitors devices that map to Unomaly system(s) and returns the following metrics:

  • Counts of the occurrence of the different types of anomalies that have been detected over time.

Unomaly Known Events

Knowns are learned events that have been annotated by the user with contextual information such as descriptions and tags to explain why the event happened and how to resolve it. User can also add a severity to the known events: Critical, Warning, Notice, Informational, and Ignored.

The Unomaly Known Events EventSource relays known events that have been classified with Critical or Warning. These events are displayed in LogicMonitor with an Error alert. Messages within the alert include full links to the known within Unomaly.

Unomaly Frequency Spikes

The Unomaly Frequency Spikes EventSource relays anomalous events that are defined as frequency spikes. Unomaly detects frequency spikes are small, medium, or large depending on how the change in rate of the event compares to historic patterns.

These events are displayed in LogicMonitor with a Warning alert. Messages within the alert include full links to the log anomaly within Unomaly.

Unomaly New Anomalies

The Unomaly New Anomalies EventSource relays events for two anomaly types:

  • Never before see, which are events that are new in the entire infrastructure
  • New in system, which are events that occurred for the first time on the system but has been detected in other systems

These events are displayed in LogicMonitor with a Warning alert. Messages within the alert include full links to the log anomaly within Unomaly.

OpsNotes Annotations

In addition to the LogicModules, you may want to configure Unomaly to send OpsNotes to LogicMonitor and annotate metrics graphs with when log anomalies and known events are received.

In the Unomaly appliance, edit the following parameters in Settings | Advanced:

                                                   
PropertyValue Required?
tad/TAD_ACCESSIDAccess ID for your LogicMonitor portal Required
tad/TAD_ACCESSKEYAccess Key for your LogicMonitor portal Required
tad/TAD_ACCOUNTCompany Account for your LogicMonitor portal Required

OpsNotes will only be sent for Unomaly systems that match a LogicMonitor device. Messages within the OpsNotes include full links to the log anomaly or known within Unomaly.

Troubleshooting

If you have issues with collecting data from the Unomaly appliance, you can perform the following steps:

Check that the PropertySource is working by confirming that the auto.unomaly.systemid is being set on LogicMonitor devices:

  • If not, then use the Collector Debug to find the exact error with the PropertySource.
  • If auto.unomaly.systemid is being set, but you don’t see any anomalies, use the Collector Debug to find the error with the EventSources or DataSource.

Read more about Using the Collector Debug Facility.

In this Article: