Log Insight Webhook Shim Updated

In Log Insight 3.3, webhooks were introduced as an alert type. Shortly after the Log Insight 3.3 announcement, Alan Castonguay and I published some webhook shims that could be used with Log Insight to provide integration to a variety of third-party destinations. I am happy to announce a major update to the existing shim including support for vRealize Operations Manager. Read on to learn more!
webhook-512

Background

Webhooks provide a simple and extensible way to map Log Insight alerts to third-party actions. Of course, you need to translate webhooks from the output format of Log Insight into the input format of the third-party destination. This can be done via a shim.
As part of the 1.0 shim made available on GitHub, the following integrations were possible:

  • PagerDuty
  • Slack
  • Socialcast

NOTE: Socialcast offers native integration meaning use of a shim is not required

Update

Since the shim’s release, several people have contributed additional integrations. At this point, version 2.1 of the shim has been published and contains even more integrations including:

  • Bugzilla
  • HipChat
  • Jenkins
  • OpsGenie
  • ServiceNow
  • PushBullet
  • vRealize Orchestrator
  • ZenDesk

Not only that, but some new features have been added as well including:

  • Ability to accept incoming vRealize Operations Manager REST plugin notifications
  • Ability to use basic auth for incoming webhooks to third-party destinations from the shim
  • Support for encrypted traffic (https in addition to http)
  • Ability to specify web server port for shim
  • Ability to support Log Insight test alerts (works for vRealize Operations Manager as well)
  • Ability to support multiple teams/channels with Slack integration (works with HipChat as well)

As you can see, this is a major update! Of course, given the change to the existing Slack integration, it is recommended you test the update before applying to your environment.

vRealize Operations Manager REST plugin

One of the big changes in the updated shim is that it now supports output from the vRealize Operations Manager REST plugin. Let me walk you through how to configure this.
First, in vROps go to Administration > Outbound Settings > Select the green plus icon to add a new one > For plugin type select Rest Notification Plugin. Next, fill in all the options. Note, all fields are required even if you are not using them. Since outbound webhooks to the shim do not support authentication today, it does not matter what you input for the username and password fields. Also, if the shim is not configured to accept requests over TLS then the input for certificate thumbprint does not matter either. For content type, ensure you select JSON.
vrops-rest-test
In my example, I set the URL to point to /endpoint/test to validate the shim is receiving the data properly. With this configuration, I can hit the test button.
vrops-rest-test2
One known issue with this new integration is that vROps always displays an error when using the shim. I assume this is because of the fake authentication and certificate thumbprint options, but might also have to do with PUT requests versus POST requests. In either case, you can confirm the shim is working by checking the log output on the shim:

$ > ./runserver.py
2016-11-02 07:51:59,423 INFO Please navigate to the below URL for the available routes
2016-11-02 07:51:59,430 INFO * Running on http://0.0.0.0:5001/ (Press CTRL+C to quit)
2016-11-02 07:52:58,212 INFO 192.168.1.27 - - [02/Nov/2016 07:52:58] "POST /endpoint/test/test HTTP/1.1" 405 -
2016-11-02 07:52:58,214 INFO {"cancelDate":1478087617086,"updateDate":1478087617086,"resourceId":"test","adapterKind":"test","Health":0,"criticality":"ALERT_CRITICALITY_LEVEL_INFO","Risk":0,"resourceName":"test","type":"ALERT_TYPE_TIER","resourceKind":"test","alertName":"","Efficiency":0,"subType":"ALERT_SUBTYPE_SMART_KPI_BREACH","alertId":"test","startDate":1478087617086,"info":"test","status":"ACTIVE"}
2016-11-02 07:52:58,215 INFO 192.168.1.27 - - [02/Nov/2016 07:52:58] "PUT /endpoint/test/test HTTP/1.1" 200 -

Bingo! As you can see, the test message from vROps was successfully received and parsed! The best part is all of the integrations into third-party products are supported for vROps REST notification plugins as well.

Summary

Webhooks are awesome and the updated shim now available for Log Insight and vRealize Operations Manager is a huge improvement. As always, you can get the latest version of the shims here. What do you think of the shim? What other integrations would you like to see? When will you contribute a new integration to the shim? Let me know in the comments!

© 2016, Steve Flanders. All rights reserved.

9 comments on “Log Insight Webhook Shim Updated

Paul S says:

Another great post on shims Steve, we would love to get vROPs sending alert data to SCOM. Will this be possible?

Hey Paul, SCOM supports and API so this should be possible through a webhook. You could contribute a shim to the github project or suggest it for someone else to implement.

mike says:

Hello
is there any way to use mutiple endpoints at the same time like slack and pd endpoints together

Hey Mike — Thanks for the comment. Sure! In Log Insight, you can put multiple webhook destinations separating each with a space. For example: “http://webhook.example.com/endpoint/slack/a/b/c http://webhook.example.com/endpoint/pagerduty/a“. I hope this helps.

Pramod Nair says:

Hello Steve,
Is it possible for SHIM server to parse the source details also to vRO,
I am working on multiple vROPS to Single vRO Mapping scenario, So in that case just i am worried when vRO will try to call the vROPS with alertID to fetch more details it will be confused as there will be multiple vROPS in the END bounded to same SHIM and vRO

Hey Pramod — I do not believe there is anything in the vROps payload that would assist, however getting source information from the incoming API request is possible. This is a good question for John Dias. Let me message him and let him reply as well.

John Dias says:

Hi Pramod,
It is indeed possible to get the source details. You could do this through a callback within the shim. In fact I implemented this in the Moogsoft shim if you want an example.
To the second question, you might want to include a second input for your vRO workflow for the vROps source IP, which you could extract from the flask request data in the shim.

John Dias says:

Pramod it is possible to get more source detail from vROps from the shim – see the Moogsoft shim as an example of making a callback into vROps for impacted resource properties.
For your use case of multiple vROps instances, I would recommend adding an additional vRO workflow input for the source of the alert. You can grab the IP of the request source from the Flask request object.

Daya says:

Hi Steve,

I am looking to integrate the Log Insight with VRO and have to manually activate the virtual environment and runserver.py. How can I use the shim for production cases without needing any manual intervention to run the environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top