Striim 3.9.6 documentation

MultiLogApp

This sample application shows how Striim could be used to monitor and correlate logs from web and application server logs from the same web application. The following is a relatively high-level explanation. For a more in-depth examination of a sample application with more detail about the components and how they interact, see PosApp.

MultiLogApp contains 12 flows that analyze the data from one or both logs and take appropriate actions:

  • MonitorLogs parses the log files to create two event streams (AccessStream for access log events and Log4JStream for application log events) used by the other flows. See the detailed discussion below.

  • ErrorsAndWarnings selects application log error and warning messages for use by the ErrorHandling and WarningHandling flows, and creates a sliding window containing the 300 most recent errors and warnings for use by the LargeRTCheck and ZeroContentCheck flows, which join it with web server data.

The following flows send alerts regarding the web server logs and populate the dashboard's Overview page world map and the Detail - UnusualActivity page:

  • HackerCheck sends an alert when an access log srcIp value is on a blacklist.

  • LargeRTCheck sends an alert when an access log responseTime value exceeds 2000 microseconds.

  • ProxyCheck sends an alert when an access log srcIP value is on a list of suspicious proxies.

  • ZeroContentCheck sends an alert when an access log entry's code value is 200 (that is, the HTTP request succeeded) but the size value is 0 (the return had no content).

The following flows send alerts regarding the application server log and populate the dashboard's Overview page pie chart and API detail pages:

  • ErrorHandling sends an alert when an error message appears in the application server log.

  • WarningHandling sends an alert once an hour with the count of warnings for each API call for which there has been at least one alert.

  • InfoFlow joins application log events with user information from the MLogUserLookup cache to create the ApiEnrichedStream used by ApiFlow, CompanyApiFlow, and UserApiFlow.

  • ApiFlow populates the Detail - ApiActivity page.

  • CompanyApiFlow populates the Detail - CompanyApiActivity page and the bar chart on the Overview page. It also sends an alert when an API call is used by a company more than 1500 times during the flow's one-hour jumping window.

  • UserApiFlow populates the dashboard's Detail - UserApiActivity page and the US map on the Overview page. It also sends an alert when an API call is used by a user more than 125 times during the flow's one-hour window.