ScienceLogic SL1 API Integration
Features
- You can configure Skylar Automated RCA to automatically add Root Cause (RCA) reports as events in ScienceLogic SL1.
- Each Skylar Automated RCA RCA report includes a summary, a word cloud, and a set of log events showing symptoms and root cause, plus a link to the full report in the Skylar Automated RCA user interface.
- This means faster Mean Time to Resolution (MTTR) and less time manually hunting for root cause.
- Requires SL1 11.2.0 or later.
The "SL1 API" integration is a legacy integration, and in previous releases it was called the "ScienceLogic Events" integration. To configure the newer Skylar Automated RCA Connector (the ze_connector service), which sends Skylar Automated RCA suggestions and alerts to the Events page, Events Investigator page, Device Investigator, and Service Investigator pages in SL1, see Skylar Automated RCA Connector for SL1. This feature is available in SL1 version 12.2.0 or later.
How It Works
The recommended mode of operation for observability dashboard integrations is to use the Skylar Automated RCA Auto-Detect mode as an accurate mechanism for explaining the reason something went wrong. In this mode, you continue to use your existing rules, alerts and metrics as the primary source of problem detection. You can then review Skylar Automated RCA RCA report findings directly on the ScienceLogic SL1 Events page (or Events Console in the classic user interface) alongside other metrics to explain the reason behind problems you were alerted on.
The Skylar Automated RCA Augment mode is useful if you use a run book automation in SL1 to create a ticket based on an event from your alerts. In this mode, Skylar Automated RCA updates the ticket directly with any Root Cause reports around the time of the event, so they are immediately visible to you as you work the case.
The two modes of operation are independent. You can configure Auto-Detect and/or Augment modes depending on your operational use case.
Auto-Detect (recommended): Send Root Cause Detections to your SL1 Events Page
- Skylar Automated RCA continuously monitors all application logs and uses unsupervised machine learning to find anomalous log patterns that indicate a problem. These are automatically turned into Root Cause reports highlighting details of any problems with over 95% accuracy.
- Root Cause report summaries are sent to ScienceLogic as events, and Root Cause details are visible on the SL1 Events page.
- With a single click on the SL1 Events page, you can drill down further into the Skylar Automated RCA user interface to look at correlated logs across your entire application.
For details, see Sending Root Cause Suggestions to the SL1 Events Page.
Sending Root Cause Suggestions to the SL1 Events Page
Integration Overview
- In SL1, choose an existing Device or create a new virtual device used to associate Root Cause reports from Skylar Automated RCA.
- Set up a user with restricted access to minimally required API access hooks.
- Setup an event policy for the "Auto-Detected Root Cause Report" alert sent by Skylar Automated RCA.
- Create a ScienceLogic integration in Skylar Automated RCA using the information from STEPS 1 and 2.
Integration Details
STEP 1: Choose an Existing Device or Create a New Device
Because Skylar Automated RCA is using logs from an application that may be spread across many hosts, containers, network devices, and more, there is no direct association of Root Cause reports to a single hardware device. Instead, Skylar Automated RCA associates Root Cause reports to a "device" that represents the set of services that make up the application.
If you already have such a "device", like a Cloud Application, then Skylar Automated RCA needs its Device ID (DID).
If you do not have an existing device in SL1 that is appropriate to use, you can create a virtual device for this purpose.
To use an existing device:
- In SL1, go to the Devices page (). If you are using the classic user interface, go to Registry > Devices > Device Manager.
- Locate the desired device from the list and make a note of the numeric Device ID (DID) in the ID column (or the DID column in the classic user interface). The DID also makes up part of the URL for the Device Investigator page for that device, such as https://<SL1_IP_address>/inventory/devices/315/investigator. You will use the DID when configuring the Skylar Automated RCA integration.
To create a new virtual device:
- In SL1, go to the Device Manager page (Devices > Device Manager). If you are using the classic user interface, go to Registry > Devices > Device Manager.
- Click Create Virtual Device. The Create Virtual Device modal appears. and select
- Complete the following fields:
- Device Name. Name of the virtual device. Can be any combination of alphanumeric characters, up to 32 characters in length.
- Organization. Organization to associate with the virtual device. Select from the drop-down list of all organizations in SL1.
- Device Class. Select ScienceLogic | Integration Service as the device class to associate with the virtual device.
- Collector. Specifies which instance of SL1 will perform auto-discovery and gather data from the device. Select the collector from the drop-down list of all collectors in SL1.
- Click and close the modal.
- Go to Devices page or the Device Manager page (Devices > Device Manager) and locate the newly created virtual device from the list.
- Make a note of the numeric Device ID (DID) in the ID column (or the DID column in the classic user interface). You will use the DID when configuring the Skylar Automated RCA Integration.
STEP 2: Create a User with Restricted API Access
To define a new access key for API access:
- In SL1, go to the Access Keys page (System > Manage > Access Keys).
- Click Key/Hook Alignment Editor dialog appears. . The
- Complete the following fields:
- Name. Name of the key, such as API Access for Skylar.
- Key Category. Select API Access.
- Key Description. Enter an appropriate description for the key.
-
In the Hook Alignment section, select each of the following unaligned access hooks on the left-hand side and click ยป to move the selected hook to the Aligned Access Hooks on the right:
Events: Event Note:Add/Rem
Events: Events/Event:View
Ticketing: Ticket:Notes:Add
Ticketing: Ticket:View
-
Click
.
To define a new user policy using the new access key:
- In SL1, go to the User Policies page (Registry > Accounts > User Policies).
- Click Create New User Policy dialog appears. . A
- In the Privilege Keys section, select the access key that you created in the previous procedure. You might need to scroll down to the API Access section.
- Complete the remaining fields according to your accepted policies.
- Click .
To define a new user using the new user policy:
- In SL1, go to the User Accounts page (Registry > Accounts > User Accounts).
- Click Create New Account dialog appears. . A
- Complete the following fields:
- Require Password Reset. Make sure Next Login is unchecked.
- Account Type. Select Policy Membership.
- Policy Membership. Select the new user policy created in the previous procedure.
- Complete the remaining fields according to your accepted policies.
- Make a note of the Username and Password for use in the next STEP.
- Click .
STEP 3: Create an Event Policy for the Skylar Automated RCA Alert
- Go to the Event Policies page (Events > Event Policies). If you are using the classic user interface, go to Registry > Events > Event Manager.
- Click . If you are using the classic user interface, click .
- In the Policy Name field at top left, type a name for the policy.
- On the Skylar Automated RCA alert". tab, type a description of the policy, such as "
- On the API for the Event Source. tab (or the tab in the classic user interface), select
- In the drop-down at the top of the next column, select Regular Expression (or [Regex Match] in the classic user interface).
- In the first Match String field, type the following: ^Zebrium\s+(Detected|created).*
- Do not select Multi Match.
- Select Message Match.
- On the %M in the Event Message field. tab (or the tab in the classic user interface), enter
- Click .
STEP 4: Create a ScienceLogic SL1 API Integration in Skylar Automated RCA
- In the Skylar Automated RCA user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors).
- Scroll to the ScienceLogic section and select ScienceLogic SL1 API.
- Click the button.
- On the Integration Name for this integration. tab, enter an
- Select the Deployment for the integration.
- Select the Service Group(s) for the integration.
- Go to the tab.
- Enter the Username and Password from STEP 2, above.
- Enter the Device ID from STEP 1, above.
- Enter the fully qualified Appliance URL to your instance of SL1 (/api/<api_endpoint> will be added automatically by the integration).
- After you update this tab, you can click Alerts page. to test your settings. If your settings were correct, a sample alert will display on the
- Click .