Generating events for testing a normalizer

If necessary, you can generate your own example events to test your normalizer. Such testing makes it easier to write regular expressions and lets you see which values end up in the KUMA event fields.

Keep in mind the following special considerations:

• This tests simulates event processing. Example events in the Example event field are intended for displaying examples in the Field mapping section. Examples of the parent normalizer are used to generate examples of child normalizers, taking into account the Field to pass into normalizer setting.
• Mutations cannot be applied.

To test the normalizer, you need to add an example event to the Event examples field in the selected normalizer and start generating events by using the relevant command. As a result of running the command, KUMA takes the example event from the Example event field and sends events to the normalizer with the specified interval. If necessary, you can specify multiple examples to get events for multiple examples.

To test the normalizer:

1. Select the collector that you want to use for testing:
   • If the collector is installed on the server and running, stop the collector service:

     sudo systemctl stop kuma-collector-<collector service ID copied from the KUMA web interface>.service

   • If the collector is not running, or is in the process of being created or edited, proceed to the next step.
2. In the collector creation wizard, if necessary, fill in or edit the required fields at the Connect event sources step and at the Transport step, then proceed to the Parsing step:
   1. Link a normalizer by selecting it from the drop-down list, or create a normalizer.
   2. In the Event examples field, add example events. For example, for a json normalizer, you can add the following value: {"name": "test_events", "address": "10.12.12.31"}. You can specify multiple examples if you want to receive events for multiple examples in the same normalizer. Events are generated for each example.
3. In the Collector Installation Wizard, go to the Routing step and specify the storage where you want to save test events.
4. Review the collector settings and click Save.
5. Go to the Active services section in KUMA and click Add to add a collector. This opens the Choose a service window; in that window, select the collector and click Create service. The collector is displayed in the Active services list.
6. Check the status of the collector to which events are being sent. The collector status should be red.
7. Run the event generation command with the necessary parameters:
   • If the collector is not installed on the server, but only added in the Active services section:

     sudo /opt/kaspersky/kuma/kuma collector --core <FQDN of the KUMA Core server>:<port used by the KUMA Core for internal communication (port 7210 is used by default)> --generator.interval <interval in seconds for generating and sending events> --id <collector service ID copied from the KUMA web interface> --api.port <number of a free, unused API port>

     If the value of the event generation and sending interval is not specified or it is set to zero, events are not generated.

   • If the collector is installed on the server:

     sudo /opt/kaspersky/kuma/kuma collector --generator.interval <value of the event generation and sending interval in seconds> --id <collector service ID copied from the KUMA web interface> --api.port <number of a free, unused API port>

     If the value of the event generation and sending interval is not specified or it is set to zero, events are not generated.

As a result, KUMA generates events and sends them to the normalizer, observing the specified interval.

You can verify that events have been created and satisfy your expectations in the Events section. For additional information about the check, see the /etc/systemd/system/multi-user.target.wants/kuma-collector-<collector service ID copied from the KUMA web interface>.service file.

If the result does not meet expectations, modify the example event:

• If the collector is not installed on the server and has only been in the Active services section, edit the Event examples field in the normalizer of the collector and save the collector settings.
• If the collector is installed on the server and stopped as a service, edit the Event examples field in the normalizer of the collector, save the collector settings, go to the Active services section, select the collector, and refresh the collector settings by clicking Refresh.

If the result meets expectations:

1. Disable event generation, for example, by pressing Ctrl+C on the command line.
2. Start the collector service; if the service is already installed on the server, but has been stopped:

   sudo systemctl start kuma-collector-<collector service ID copied from the KUMA web interface>.service

3. If the collector has only been added in the Active services section, but has not been installed on the server yet, install the collector on the server using the following command:

   sudo /opt/kaspersky/kuma/kuma collector --core <FQDN of the KUMA Core server>:<port used by KUMA Core server for internal communication (port 7210 by default)> --id <collector service ID copied from the KUMA web interface> --api.port <port used for communication with the installed component> --install

Page top