LooperNG Concepts

Introduction

LooperNG is an intelligent event router. It has also been called a "Trap Exploder", a "Trap Rewriter", "An Event Enrichment Tool", "An Event Consolidator", "A useful toy". It is basically an easy to use, programmable system for managing event routing. It works by monitoring one or more sources for incoming events and rerouting them to output sinks based on a rules file. This rules file decides whether an incoming event (e.g., an SNMP trap) gets, say, forwarded blindly to a management station, forwarded to another LooperNG daemon, sent to an operator's pager or all of the above.

The sources and sinks referred to above are known to LooperNG as input and output modules. For e.g., the snmpd_in input module is used to collect SNMP traps. These traps can be processed by the rules file and if necessary be exploded to a number of different locations with the snmtrap_out output module.

Input Modules

The following Input modules are available:

apacheerrorlog_in - Monitor an Apache Errorlog file.
logfile_in - Monitor a generic log file.
netcool_in - Get alerts from a netcool database.
snortcsv_in - Monitor a Snort CSV file.
syslog_in - Monitor a Syslog log file.
nagioslog_in - Monitor a Nagios (Netsaint) log file.
snmpd_in - Listen for SNMP traps.
socket_in - Listen for events over socket. (Also used by Mon)

Output Modules

The following Output modules are availble:

logfile_out - Appends alerts to a log file.
mysql_out - Sends alerts to a MySQL database.
snmptrap_out - A trap generator.
syslog_out - A syslog log generator.
email_out - An e-mail gateway.
looperdb_out - Sends events to a LooperDB database.
netcool_out - Sends events to Netcool.
socket_out - Sends events over socket (to other LooperNG daemons).

Operation

When a LooperNG daemon is started, it parses a configuration file which specifies which input and output modules will be used. It then starts up the relevant modules and begins to manage and multiplex the incoming events. When it receives an event from one of the Input modules, it sends the event to the rules file. The rules file will then decide what to do with the event and LooperNG will take care of forwarding the events appropriately. If the event is, say, an unimportant informational alert, the rules file can decide whether to log this event to a database, or just discard it.

Modules managed by LooperNG can be started and stopped while it's running. You can also add or delete modules, disable / change rules files etc. on the fly. LooperNG listens for administrative requests on a socket. When you connect to LooperNG's administrative port, you receive a commandline interface for montoring or reconfiguring LooperNG.

Proceed to Installing LooperNG

---

Back to LooperNG Tutorial