Introduction
Sysdig is a secure DevOps platform that helps enterprises operate reliable, secure, containerized cloud-native applications. OpsRamp integration with Sysdig ingests alerts. These alerts are used in the Sysdig Monitor when event thresholds have been crossed.
Sysdig Version Supported for Integration: 3.2.0
OpsRamp configuration
Configuration involves:
- Installing the integration.
- Configuring the integration.
Note
Inbound configurations capture all the details required to call OpsRamp APIs.Step 1: Install the integration
To install:
- From All Clients, select a client.
- Go to Setup > Integrations > Integrations.
- From Available Integrations, select Monitoring > Sysdig.
- Click Install.
Step 2: Configure the integration
To configure the integration:
- From the API tab, provide the following:
- Authentication: Token and Webhook URL for configuration.
These settings are required for defining alert endpoints. - Map Attributes: Provide the mapping information for the third-party.
The Map Attributes section maps third-party attributes to OpsRamp attributes associated with payloads.
- Authentication: Token and Webhook URL for configuration.
- From the Monitoring of Integration tab, click Assign Templates.
- From the Audit Logs, set up audit log criteria and time frame.
Configuring the map attributes
To configure the mapping attributes:
- Select the required OpsRamp property from the drop-down.
- Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
- Click + to define the mappings.
- From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values.
- Click Save.
The following table shows the property mappings.
| Third-Party Entity | OpsRamp Entity | Third-Party Property | OpsRamp Property (non-editable) | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Problem | Alert | State
| alert.currentState | ||||||
| Problem | Alert | alert.body
| alert.currentState | ||||||
| Problem | Alert | alert.description | alert.description | ||||||
| Problem | Alert | source | alert.deviceName | ||||||
| Problem | Alert | alert.id | alert.extAlertId | ||||||
| Problem | Alert | alert.subject | alert.subject |
Note
- You can modify the attributes when required.
- You need not follow the same mappings.
Sysdig configuration
Configuration involves:
- Adding notification channels
- Configuring alerts
Step 1: Add notification channel
To add a notification channel:
- Log into the Sysdig Admin UI.
- Go to Notification Channels > Add Notification Channel.
- From the displayed list, click Webhook.
- From New WebHook Channel, provide the following:
- URL: WebHook URL copied from the OpsRamp configuration.
- Channel Name:
- Enable the following options if desired and click Save:
- Enabled
- Notify when Resolved
- Notify when Acknowledged
- Test notification
Step 2: Configure alerts
To configure alerts for the added notification channel:
- Go to Alerts > Add Alert and select Alert Type.
- From the New Metric Alert wizard, provide the following on the Define tab:
- Alert description
- Alert severity
- Alert properties
Note: If single alert is selected from the drop-down list, then only a single alert is triggered. To trigger multiple alerts, select Multiple Alerts.
- On the Notify tab, enable the following and click Create.
- Notification Channel (this channel was created in the previous step).
- Additional options as required.
Note: If alerts are already created, enable the newly created notification channel by navigating to Notify and clicking on the alert.
Sample payload
{
"timestamp": 1587031500000000,
"timespan": 300000000,
"alert": {
"severity": 4,
"severityLevel": 4,
"editUrl": "https://app.sysdigcloud.com/#/alerts/1763784",
"severityLabel": "Low",
"subject": "Filesystem device full warning is Triggered on host.mac = 56:34:fb:9c:dd:5d and fs.mountDir = /",
"scope": null,
"name": "Filesystem device full warning",
"description": "Filesystem device full warning",
"id": 1763784,
"body": "Event Generated:Severity: Low Metric: fs.used.percent = 14.2 %Segment: fs.mountDir = '/' and host.mac = '56:34:fb:9c:dd:5d'Scope: EverywhereTime: 04/16/2020 10:05 AM UTCState: TriggeredNotification URL: https://app.sysdigcloud.com/#/events/notifications/l:2419200/44753390/details------Triggered by Alert:Name: Filesystem device full warningDescription: Filesystem device full warningTeam: Monitor OperationsScope: EverywhereSegment by: host.mac, fs.mountDirWhen: avg(avg(fs.used.percent)) > 5For at least: 5 minAlert URL: https://app.sysdigcloud.com/#/alerts/1763784"
},
"event": {
"id": 44753390,
"url": "https://app.sysdigcloud.com/#/events/notifications/l:604800/44753390/details"
},
"state": "ACTIVE",
"resolved": false,
"entities": [{
"entity": "host.mac = '56:34:fb:9c:dd:5d'",
"metricValues": [{
"metric": "fs.used.percent",
"aggregation": "avg",
"groupAggregation": "avg",
"value": 14.186205200000002
}],
"additionalInfo": [{
"metric": "host.hostName",
"value": "zabbix"
}]
}],
"condition": "avg(avg(fs.used.percent)) > 5",
"source": "Sysdig Cloud"
}Viewing alerts
To view the alerts in OpsRamp:
- Go to the Alerts page, search with the source name as
Sisdig.
Related alerts are displayed. - Click Alert ID to view.