Sysdig is a secure DevOps platform that helps enterprises operate reliable, secure, containerized cloud-native applications. OpsRamp integration with Sysdig ingests alerts. These alerts are used in the Sysdig Monitor when event thresholds have been crossed.

Sysdig Version Supported for Integration: 3.2.0

OpsRamp configuration

Inbound configurations capture all the details required to call OpsRamp APIs.

Step 1: Install the integration

  1. From All Clients, select a client.
  2. Go to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also yu can use the All Categories option to search.
  6. Click ADD in the Sysdig application and click Install.
  7. Select authentication type as WEBHOOK and click Save.
  8. Make a note of Tenant ID, Token and Webhook URL.
    These details are used while creating an HTTP Request template during Sysdig configuration.
  9. Click Save.

Step 2: Configure the integration

  1. From the API tab, enter:
    • Authentication: Token and Webhook URL for configuration.
      These settings are required for defining alert endpoints.
    • Map Attributes: Enter the mapping information for the third-party.
      The Map Attributes section maps third-party attributes to OpsRamp attributes associated with payloads.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values.
  5. Click Save.

The following table shows the property mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp Property (non-editable)
ProblemAlertState
Third-Party Property ValueOpsRamp Property Value
ACTIVECritical
OKok
alert.currentState
ProblemAlertalert.body
OperatorStart WordEnd Word
BetweenMetric=
alert.currentState
ProblemAlertalert.descriptionalert.description
ProblemAlertsourcealert.deviceName
ProblemAlertalert.idalert.extAlertId
ProblemAlertalert.subjectalert.subject
  • You can modify the attributes when required.
  • You need not follow the same mappings.

Sysdig configuration

Step 1: Add notification channel

  1. Log into the Sysdig Admin UI.
  2. Go to Notification Channels > Add Notification Channel.
  3. From the displayed list, click Webhook.
  4. From New WebHook Channel, enter:
    • URL: WebHook URL copied from the OpsRamp configuration.
    • Channel Name:
    • Enable the following options as needed and click Save:
      • Enabled
      • Notify when Resolved
      • Notify when Acknowledged
      • Test notification

Step 2: Configure alerts

  1. Go to Alerts > Add Alert and select Alert Type.
  2. From the New Metric Alert wizard, enter the following on the Define tab:
    • Alert description
    • Alert severity
    • Alert properties. If a single alert is selected from the drop-down list, then only a single alert is triggered. To trigger multiple alerts, select Multiple Alerts.
  3. On the Notify tab, enable the following and click Create.
    • Notification Channel (this channel was created in the previous step).
    • Additional options as required. If alerts are already created, enable the newly created notification channel by navigating to Notify and clicking on the alert.

Example payload

{
"timestamp": 1587031500000000,
"timespan": 300000000,
"alert": {
"severity": 4,
"severityLevel": 4,
"editUrl": "https://app.sysdigcloud.com/#/alerts/1763784",
"severityLabel": "Low",
"subject": "Filesystem device full warning is Triggered on host.mac = 56:34:fb:9c:dd:5d and fs.mountDir = /",
"scope": null,
"name": "Filesystem device full warning",
"description": "Filesystem device full warning",
"id": 1763784,
"body": "Event Generated:Severity: Low Metric: fs.used.percent = 14.2 %Segment: fs.mountDir = '/' and host.mac = '56:34:fb:9c:dd:5d'Scope: EverywhereTime: 04/16/2020 10:05 AM UTCState: TriggeredNotification URL: <https://app.sysdigcloud.com/#/events/notifications/l:2419200/44753390/details------Triggered> by Alert:Name: Filesystem device full warningDescription: Filesystem device full warningTeam: Monitor OperationsScope: EverywhereSegment by: host.mac, fs.mountDirWhen: avg(avg(fs.used.percent)) > 5For at least: 5 minAlert URL: <https://app.sysdigcloud.com/#/alerts/1763784>"
},
"event": {
"id": 44753390,
"url": "https://app.sysdigcloud.com/#/events/notifications/l:604800/44753390/details"
},
"state": "ACTIVE",
"resolved": false,
"entities": [{
"entity": "host.mac = '56:34:fb:9c:dd:5d'",
"metricValues": [{
"metric": "fs.used.percent",
"aggregation": "avg",
"groupAggregation": "avg",
"value": 14.186205200000002
}],
"moreInfo": [{
"metric": "host.hostName",
"value": "zabbix"
}]
}],
"condition": "avg(avg(fs.used.percent)) > 5",
"source": "Sysdig Cloud"
}

Viewing alerts

  1. Go to the Alerts page, search with the source name as Sisdig.
    Related alerts are displayed.
  2. Click Alert ID to view.