ScienceLogic SL1 API Integration

Download this manual as a PDF file

Features

  • You can configure Zebrium to automatically add Root Cause (RCA) reports as events in ScienceLogic SL1.
  • Each Zebrium RCA report includes a summary, a word cloud, and a set of log events showing symptoms and root cause, plus a link to the full report in the Zebrium user interface.
  • This means faster Mean Time to Resolution (MTTR) and less time manually hunting for root cause.
  • Requires SL1 11.2.0 or later.

The "SL1 API" integration is a legacy integration, and in previous releases it was called the "ScienceLogic Events" integration. To configure the newer Zebrium Connector (the ze_connector service), which sends Zebrium suggestions and alerts to the Events page, Events Investigator page, Device Investigator, and Service Investigator pages in SL1, see Zebrium Connector for SL1. This feature is available in SL1 version 12.2.0 or later.

How It Works

The recommended mode of operation for observability dashboard integrations is to use the ZebriumAuto-Detect mode as an accurate mechanism for explaining the reason something went wrong. In this mode, you continue to use your existing rules, alerts and metrics as the primary source of problem detection. You can then review Zebrium RCA report findings directly on the ScienceLogic SL1 Events page (or Events Console in the classic user interface) alongside other metrics to explain the reason behind problems you were alerted on.

The ZebriumAugment mode is useful if you use a run book automation in SL1 to create a ticket based on an event from your alerts. In this mode, Zebrium updates the ticket directly with any Root Cause reports around the time of the event, so they are immediately visible to you as you work the case.

The two modes of operation are independent. You can configure Auto-Detect and/or Augment modes depending on your operational use case.

Auto-Detect (recommended): Send Root Cause Detections to your SL1 Events Page

  1. Zebrium continuously monitors all application logs and uses unsupervised machine learning to find anomalous log patterns that indicate a problem. These are automatically turned into Root Cause reports highlighting details of any problems with over 95% accuracy.
  2. Root Cause report summaries are sent to ScienceLogic as Events, and Root Cause details are visible on the SL1 Events page.
  3. With a single click on the SL1 Events page, you can drill down further into the Zebrium user interface to look at correlated logs across your entire application.

For details, see Sending Root Cause Suggestions to the SL1 Events Page.

Sending Root Cause Suggestions to the SL1 Events Page

Integration Overview

  1. In ScienceLogic SL1, choose an existing Device or create a new virtual device used to associate Root Cause reports from Zebrium.
  2. Set up a user with restricted access to minimally required API access hooks.
  3. Setup an event policy for the "Auto-Detected Root Cause Report" alert sent by Zebrium.
  4. Create a ScienceLogic integration in Zebrium using the information from STEPS 1 and 2.

Integration Details

STEP 1: Choose an Existing Device or Create a New Device

Because Zebrium is using logs from an application that may be spread across many hosts, containers, network devices, and more, there is no direct association of Root Cause reports to a single hardware device. Instead, Zebrium associates Root Cause reports to a "device" that represents the set of services that make up the application.

If you already have such a "device", like a Cloud Application, then Zebrium needs its Device ID (DID).

If you do not have an existing device in SL1 that is appropriate to use, you can create a virtual device for this purpose.

To use an existing device:

  1. In SL1, go to the Devices page (). If you are using the classic user interface, go to Registry > Devices > Device Manager.
  2. Locate the desired device from the list and make a note of the numeric Device ID (DID) in the ID column (or the DID column in the classic user interface). The DID also makes up part of the URL for the Device Investigator page for that device, such as https://<SL1_IP_address>/inventory/devices/315/investigator. You will use the DID when configuring the Zebrium integration.

To create a new virtual device:

  1. In SL1, go to the Device Manager page (Devices > Device Manager). If you are using the classic user interface, go to Registry > Devices > Device Manager.
  2. Click Actions and select Create Virtual Device. The Create Virtual Device modal appears.
  3. Complete the following fields:
    1. Device Name. Name of the virtual device. Can be any combination of alphanumeric characters, up to 32 characters in length.
    2. Organization. Organization to associate with the virtual device. Select from the drop-down list of all organizations in SL1.
    3. Device Class. Select ScienceLogic | Integration Service as the device class to associate with the virtual device.
    4. Collector. Specifies which instance of SL1 will perform auto-discovery and gather data from the device. Select the collector from the drop-down list of all collectors in SL1.
  4. Click Update and close the modal.
  5. Go to Devices page or the Device Manager page (Devices > Device Manager) and locate the newly created virtual device from the list.
  6. Make a note of the numeric Device ID (DID) in the ID column (or the DID column in the classic user interface).  You will use the DID when configuring the Zebrium Integration.

STEP 2: Create a User with Restricted API Access

To define a new access key for API access:

  1. In SL1, go to the Access Keys page (System > Manage > Access Keys).
  2. Click Key Manager. The Key/Hook Alignment Editor dialog appears.
  3. Complete the following fields:
    1. Name. Name of the key, such as API Access for Zebrium.
    2. Key Category. Select API Access.
    3. Key Description. Enter an appropriate description for the key.

  4. In the Hook Alignment section, select each of the following unaligned access hooks on the left-hand side and click ยป to move the selected hook to the Aligned Access Hooks on the right:

    Events: Event Note:Add/Rem

    Events: Events/Event:View

    Ticketing: Ticket:Notes:Add

    Ticketing: Ticket:View

  5. Click Save.

To define a new user policy using the new access key:

  1. In SL1, go to the User Policies page (Registry > Accounts > User Policies).
  2. Click Create. A Create New User Policy dialog appears.
  3. In the Privilege Keys section, select the access key that you created in the previous procedure. You might need to scroll down to the API Access section.
  4. Complete the remaining fields according to your accepted policies.
  5. Click Save.

To define a new user using the new user policy:

  1. In SL1, go to the User Accounts page (Registry > Accounts > User Accounts).
  2. Click Create. A Create New Account dialog appears.
  3. Complete the following fields:
    1. Require Password Reset. Make sure Next Login is unchecked.
    2. Account Type. Select Policy Membership.
    3. Policy Membership. Select the new user policy created in the previous procedure.
  4. Complete the remaining fields according to your accepted policies.
  5. Make a note of the Username and Password for use in the next STEP.
  6. Click Save.

STEP 3: Create an Event Policy for the Zebrium Alert

  1. Go to the Event Policies page (Events > Event Policies). If you are using the classic user interface, go to Registry > Events > Event Manager.
  2. Click Create Event Policy. If you are using the classic user interface, click Create.
  3. In the Policy Name field at top left, type a name for the policy.
  4. On the Policy Description tab, type a description of the policy, such as "Zebrium alert".
  5. On the Match Logic tab (or the Policy tab in the classic user interface), select API for the Event Source.
  6. In the drop-down at the top of the next column, select Regular Expression (or [Regex Match] in the classic user interface).
  7. In the first Match String field, type the following: ^Zebrium\s+(Detected|created).*
  8. Do not select Multi Match.
  9. Select Message Match.
  10. On the Event Message tab (or the Policy tab in the classic user interface), enter %M in the Event Message field.
  11. Click Save.

STEP 4: Create a ScienceLogic SL1 API Integration in Zebrium

  1. In the Zebrium user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors).
  2. Scroll to the ScienceLogic section and select ScienceLogic SL1 API.
  3. Click the Create a New Integration button.
  4. On the General tab, enter an Integration Name for this integration.
  5. Select the Deployment for the integration.
  6. Select the Service Group(s) for the integration.
  7. Go to the Send Detections tab.
  8. Enter the Username and Password from STEP 2, above.
  9. Enter the Device ID from STEP 1, above.
  10. Enter the fully qualified Appliance URL to your instance of SL1 (/api/<api_endpoint> will be added automatically by the integration).
  11. After you update this tab, you can click Create Sample Alert to test your settings. If your settings were correct, a sample alert will display on the Alerts page.
  12. Click Save.