Unomaly Monitoring
Last updated on 02 October, 2024Overview
Unomaly is a monitoring appliance used for log analysis and anomaly detection. This Unomaly integration for LogicMonitor displays log anomalies and knowns collected by Unomaly and monitors the frequencies of events over time.
Background
Unomaly works by learning the patterns of events produced by the systems and applications that make up IT infrastructures and identifying new events that don’t match previously established patterns.
As part of its event learning process, Unomaly tracks metrics (such as the counts of similar events and the frequency of their occurrence over time) and categorizes new events based on changes in structure, parameter values, and frequency. Users may also convert events into knowns to add contextual descriptions and classify their severity.
Read more about How Unomaly detects anomalies.
Compatibility
This Unomaly integration for LogicMonitor is compatible with:
- Unomaly version 3.6.5 or newer
LogicMonitor will test and extend coverage for newer versions of Unomaly.
Setup Requirements
The LogicModules in this integration collect data from the Unomaly appliance(s) that is configured to:
- Receive and process logs from the systems you want to monitor.
- Enable communication with the Unomaly REST API endpoint.
Enable Unomaly API Access
The LogicModules require access to the REST API endpoint on the Unomaly appliance. See the Unomaly REST API Reference.
| Protocol | Port | Description |
| HTTPS | 443 | Used to communicate with and access the Unomaly REST API. |
Basic authentication is used to communicate with and access the Unomaly REST API. LogicMonitor needs to provide credentials for a Basic (API user) account that is enabled on the Unomaly appliance. See Configure basic authentication for API access.
| Authentication | Role | Description |
| Basic (API user) | Administrator | This user has full Administrator capabilities on Unomaly. There may be multiple Basic accounts, but only one can be enabled at a time. |
Edit LogicMonitor Device Properties
For LogicMonitor to communicate with the Unomaly REST API, set the following properties on the monitored resource (or group) within your LogicMonitor portal. See Resource and instance properties.
| Property | Value | Required? |
unomaly.username |
Unomaly Basic (API user) username | Required |
unomaly.password |
Unomaly Basic (API user) password | Required |
unomaly.host |
Hostname or IP address to Unomaly appliance | Required |
unomaly.systemid |
List of possible device ID to use to match the LogicMonitor device to a Unomaly system ID | Optional |
LogicModules in Package
The LogicModules package for this Unomaly integration are listed in the following table and described in more detail below. Import each LogicModule from the LogicMonitor Repository.
| Display Name | Type | Description |
Unomaly_DeviceInfo |
PropertySource | Identifies if a device is being monitored in Unomaly and sets the auto.unomaly.systemid property on devices. |
Unomaly_Anomalies_Metrics |
DataSource | Monitors anomalies metrics from Unomaly. |
Unomaly Known Events |
EventSource | Relays detected known events from Unomaly. |
Unomaly Frequency Spikes |
EventSource | Relays detected frequency spikes from Unomaly. |
Unomaly New Anomalies |
EventSource | Relays detected new anomalies found by Unomaly. |
Unomaly DeviceInfo
The Unomaly integration with LogicMonitor relies on the mapping between LogicMonitor devices and Unomaly systems to be correct. Metrics will only be collected for Unomaly systems that correspond to existing LogicMonitor devices. This mapping is accomplished with the Unomaly_DeviceInfo PropertySource.
Unomaly_DeviceInfo reconciles a Unomaly system ID with a LogicMonitor device by matching the hostname, IP address, or device name. If the LogicMonitor device matches a Unomaly system, it sets a auto.unomaly.systemid property on the LogicMonitor device.
It’s expected that a LogicMonitor device may relate to multiple Unomaly systems.
Unomaly Anomalies Metrics
The Unomaly_Anomalies_Metrics DataSource monitors devices that map to Unomaly system(s) and returns the following metrics:
- Counts of the occurrence of the different types of anomalies that have been detected over time.
Unomaly Known Events
Knowns are learned events that have been annotated by the user with contextual information such as descriptions and tags to explain why the event happened and how to resolve it. User can also add a severity to the known events: Critical, Warning, Notice, Informational, and Ignored.
The Unomaly Known Events EventSource relays known events that have been classified with Critical or Warning. These events are displayed in LogicMonitor with an Error alert. Messages within the alert include full links to the known within Unomaly.
Unomaly Frequency Spikes
The Unomaly Frequency Spikes EventSource relays anomalous events that are defined as frequency spikes. Unomaly detects frequency spikes are small, medium, or large depending on how the change in rate of the event compares to historic patterns.
These events are displayed in LogicMonitor with a Warning alert. Messages within the alert include full links to the log anomaly within Unomaly.
Unomaly New Anomalies
The Unomaly New Anomalies EventSource relays events for two anomaly types:
- Never before see, which are events that are new in the entire infrastructure
- New in system, which are events that occurred for the first time on the system but has been detected in other systems
These events are displayed in LogicMonitor with a Warning alert. Messages within the alert include full links to the log anomaly within Unomaly.
OpsNotes Annotations
In addition to the LogicModules, you may want to configure Unomaly to send OpsNotes to LogicMonitor and annotate metrics graphs with when log anomalies and known events are received.
In the Unomaly appliance, edit the following parameters in Settings | Advanced:
| Property | Value | Required? |
tad/TAD_ACCESSID |
Access ID for your LogicMonitor portal | Required |
tad/TAD_ACCESSKEY |
Access Key for your LogicMonitor portal | Required |
tad/TAD_ACCOUNT |
Company Account for your LogicMonitor portal | Required |
OpsNotes will only be sent for Unomaly systems that match a LogicMonitor device. Messages within the OpsNotes include full links to the log anomaly or known within Unomaly.
Troubleshooting
If you have issues with collecting data from the Unomaly appliance, you can perform the following steps:
Check that the PropertySource is working by confirming that the auto.unomaly.systemid is being set on LogicMonitor devices:
- If not, then use the Collector Debug to find the exact error with the PropertySource.
- If
auto.unomaly.systemidis being set, but you don’t see any anomalies, use the Collector Debug to find the error with the EventSources or DataSource.
Read more about Using the Collector Debug Facility.