ScienceLogic SL1 API Integration

Download this manual as a PDF file

Features

  • You can configure Skylar Automated RCA to automatically add Root Cause (RCA) reports as events in ScienceLogic SL1.
  • Each Skylar Automated RCA RCA report includes a summary, a word cloud, and a set of log events showing symptoms and root cause, plus a link to the full report in the Skylar Automated RCA user interface.
  • This means faster Mean Time to Resolution (MTTR) and less time manually hunting for root cause.
  • Requires SL1 11.2.0 or later.

The "SL1 API" integration is a legacy integration, and in previous releases it was called the "ScienceLogic Events" integration. To configure the newer Skylar Automated RCA Connector (the ze_connector service), which sends Skylar Automated RCA suggestions and alerts to the Events page, Events Investigator page, Device Investigator, and Service Investigator pages in SL1, see Skylar Automated RCA Connector for SL1. This feature is available in SL1 version 12.2.0 or later.

How It Works

The recommended mode of operation for observability dashboard integrations is to use the Skylar Automated RCA Auto-Detect mode as an accurate mechanism for explaining the reason something went wrong. In this mode, you continue to use your existing rules, alerts and metrics as the primary source of problem detection. You can then review Skylar Automated RCA RCA report findings directly on the ScienceLogic SL1 Events page (or Events Console in the classic user interface) alongside other metrics to explain the reason behind problems you were alerted on.

The Skylar Automated RCA Augment mode is useful if you use a run book automation in SL1 to create a ticket based on an event from your alerts. In this mode, Skylar Automated RCA updates the ticket directly with any Root Cause reports around the time of the event, so they are immediately visible to you as you work the case.

The two modes of operation are independent. You can configure Auto-Detect and/or Augment modes depending on your operational use case.

Auto-Detect (recommended): Send Root Cause Detections to your SL1 Events Page

  1. Skylar Automated RCA continuously monitors all application logs and uses unsupervised machine learning to find anomalous log patterns that indicate a problem. These are automatically turned into Root Cause reports highlighting details of any problems with over 95% accuracy.
  2. Root Cause report summaries are sent to ScienceLogic as events, and Root Cause details are visible on the SL1 Events page.
  3. With a single click on the SL1 Events page, you can drill down further into the Skylar Automated RCA user interface to look at correlated logs across your entire application.

For details, see Sending Root Cause Suggestions to the SL1 Events Page.

Sending Root Cause Suggestions to the SL1 Events Page

Integration Overview

  1. In SL1, choose an existing Device or create a new virtual device used to associate Root Cause reports from Skylar Automated RCA.
  2. Set up a user with restricted access to minimally required API access hooks.
  3. Setup an event policy for the "Auto-Detected Root Cause Report" alert sent by Skylar Automated RCA.
  4. Create a ScienceLogic integration in Skylar Automated RCA using the information from STEPS 1 and 2.

Integration Details

STEP 1: Choose an Existing Device or Create a New Device

Because Skylar Automated RCA is using logs from an application that may be spread across many hosts, containers, network devices, and more, there is no direct association of Root Cause reports to a single hardware device. Instead, Skylar Automated RCA associates Root Cause reports to a "device" that represents the set of services that make up the application.

If you already have such a "device", like a Cloud Application, then Skylar Automated RCA needs its Device ID (DID).

If you do not have an existing device in SL1 that is appropriate to use, you can create a virtual device for this purpose.

To use an existing device:

  1. In SL1, go to the Devices page (). If you are using the classic user interface, go to Registry > Devices > Device Manager.
  2. Locate the desired device from the list and make a note of the numeric Device ID (DID) in the ID column (or the DID column in the classic user interface). The DID also makes up part of the URL for the Device Investigator page for that device, such as https://<SL1_IP_address>/inventory/devices/315/investigator. You will use the DID when configuring the Skylar Automated RCA integration.

To create a new virtual device:

  1. In SL1, go to the Device Manager page (Devices > Device Manager). If you are using the classic user interface, go to Registry > Devices > Device Manager.
  2. Click Actions and select Create Virtual Device. The Create Virtual Device modal appears.
  3. Complete the following fields:
    1. Device Name. Name of the virtual device. Can be any combination of alphanumeric characters, up to 32 characters in length.
    2. Organization. Organization to associate with the virtual device. Select from the drop-down list of all organizations in SL1.
    3. Device Class. Select ScienceLogic | Integration Service as the device class to associate with the virtual device.
    4. Collector. Specifies which instance of SL1 will perform auto-discovery and gather data from the device. Select the collector from the drop-down list of all collectors in SL1.
  4. Click Update and close the modal.
  5. Go to Devices page or the Device Manager page (Devices > Device Manager) and locate the newly created virtual device from the list.
  6. Make a note of the numeric Device ID (DID) in the ID column (or the DID column in the classic user interface).  You will use the DID when configuring the Skylar Automated RCA Integration.

STEP 2: Create a User with Restricted API Access

To define a new access key for API access:

  1. In SL1, go to the Access Keys page (System > Manage > Access Keys).
  2. Click Key Manager. The Key/Hook Alignment Editor dialog appears.
  3. Complete the following fields:
    1. Name. Name of the key, such as API Access for Skylar.
    2. Key Category. Select API Access.
    3. Key Description. Enter an appropriate description for the key.

  4. In the Hook Alignment section, select each of the following unaligned access hooks on the left-hand side and click ยป to move the selected hook to the Aligned Access Hooks on the right:

    Events: Event Note:Add/Rem

    Events: Events/Event:View

    Ticketing: Ticket:Notes:Add

    Ticketing: Ticket:View

  5. Click Save.

To define a new user policy using the new access key:

  1. In SL1, go to the User Policies page (Registry > Accounts > User Policies).
  2. Click Create. A Create New User Policy dialog appears.
  3. In the Privilege Keys section, select the access key that you created in the previous procedure. You might need to scroll down to the API Access section.
  4. Complete the remaining fields according to your accepted policies.
  5. Click Save.

To define a new user using the new user policy:

  1. In SL1, go to the User Accounts page (Registry > Accounts > User Accounts).
  2. Click Create. A Create New Account dialog appears.
  3. Complete the following fields:
    1. Require Password Reset. Make sure Next Login is unchecked.
    2. Account Type. Select Policy Membership.
    3. Policy Membership. Select the new user policy created in the previous procedure.
  4. Complete the remaining fields according to your accepted policies.
  5. Make a note of the Username and Password for use in the next STEP.
  6. Click Save.

STEP 3: Create an Event Policy for the Skylar Automated RCA Alert

  1. Go to the Event Policies page (Events > Event Policies). If you are using the classic user interface, go to Registry > Events > Event Manager.
  2. Click Create Event Policy. If you are using the classic user interface, click Create.
  3. In the Policy Name field at top left, type a name for the policy.
  4. On the Policy Description tab, type a description of the policy, such as "Skylar Automated RCA alert".
  5. On the Match Logic tab (or the Policy tab in the classic user interface), select API for the Event Source.
  6. In the drop-down at the top of the next column, select Regular Expression (or [Regex Match] in the classic user interface).
  7. In the first Match String field, type the following: ^Zebrium\s+(Detected|created).*
  8. Do not select Multi Match.
  9. Select Message Match.
  10. On the Event Message tab (or the Policy tab in the classic user interface), enter %M in the Event Message field.
  11. Click Save.

STEP 4: Create a ScienceLogic SL1 API Integration in Skylar Automated RCA

  1. In the Skylar Automated RCA user interface, go to the Integrations & Collectors page (Settings () > Integrations & Collectors).
  2. Scroll to the ScienceLogic section and select ScienceLogic SL1 API.
  3. Click the Create a New Integration button.
  4. On the General tab, enter an Integration Name for this integration.
  5. Select the Deployment for the integration.
  6. Select the Service Group(s) for the integration.
  7. Go to the Send Detections tab.
  8. Enter the Username and Password from STEP 2, above.
  9. Enter the Device ID from STEP 1, above.
  10. Enter the fully qualified Appliance URL to your instance of SL1 (/api/<api_endpoint> will be added automatically by the integration).
  11. After you update this tab, you can click Create Sample Alert to test your settings. If your settings were correct, a sample alert will display on the Alerts page.
  12. Click Save.