You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Lumos

An integration with Lumos to ship your Activity logs to your Elastic instance.

Version
0.1.0 (View all)
Compatible Kibana version(s)
8.12.1 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Partner

The Lumos integration uses Lumos' API to retrieve Activity Logs and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Activity Logs through Elasticsearch.

The Elastic agent running this integration interacts with Lumos' infrastructure using their APIs to retrieve Activity Logs for a Lumos tenant.

Configuration

Enabling the integration in Elastic

  1. In Kibana go to Management > Integrations
  2. In the "Search for integrations" search bar type Lumos.
  3. Click on "Lumos" integration from the search results.
  4. Click on Add Lumos button to add Lumos integration.

Configure Lumos Activity Logs data stream

  1. In Lumos go to Settings > API Tokens
  2. Click on "Add API Token", enter a name and description
  3. Copy the key starting with lsk_
  4. While adding Lumos integration in Elastic, paste your key into the API Token field

Logs

Activity Logs

Activity Logs summarize the history of changes and events occurring within Lumos.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
event.action
The activity that occurred
keyword
event.created
The time the event began
date
event.id
The event hash
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event, whether it succeeded or failed
keyword
input.type
Input type
keyword
lumos.activity_logs.actor.actor_type
The type of actor
keyword
lumos.activity_logs.actor.email
The email of the actor
keyword
lumos.activity_logs.actor.family_name
The family name of the actor
keyword
lumos.activity_logs.actor.given_name
The given name of the actor
keyword
lumos.activity_logs.event_began_at
The time the event began
keyword
lumos.activity_logs.event_type_user_friendly
The user friendly type of the event
keyword
lumos.activity_logs.targets.name
keyword
lumos.activity_logs.targets.target_type
keyword
message
For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
match_only_text

An example event for activity looks as following:

{
    "@timestamp": "2024-03-14T17:53:58.869Z",
    "agent": {
        "ephemeral_id": "9d0d6b51-1c05-4ab1-ab5c-c16e485d734f",
        "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.12.1"
    },
    "data_stream": {
        "dataset": "lumos.activity_logs",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e",
        "snapshot": false,
        "version": "8.12.1"
    },
    "event": {
        "action": "SOD_POLICY_DELETED",
        "agent_id_status": "verified",
        "created": "2024-03-14T17:53:58.869Z",
        "dataset": "lumos.activity_logs",
        "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7",
        "ingested": "2024-03-14T17:54:10Z",
        "kind": "event",
        "outcome": "success",
        "type": "info"
    },
    "host": {
        "architecture": "aarch64",
        "containerized": false,
        "hostname": "docker-fleet-agent",
        "id": "fb3be8e9409740ebb6621b777f0c397d",
        "ip": [
            "192.168.144.7"
        ],
        "mac": [
            "02-42-C0-A8-90-07"
        ],
        "name": "docker-fleet-agent",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "6.6.12-linuxkit",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "lumos": {
        "activity_logs": {
            "actor": {
                "actor_type": "Lumos user",
                "email": "wile.e.coyote@lumos.com",
                "family_name": "Wile",
                "given_name": "Coyote"
            },
            "event_began_at": "2024-03-12T16:09:14",
            "event_type_user_friendly": "A user deleted a SOD Policy",
            "targets": [
                {
                    "name": "Untitled Rule",
                    "target_type": "SOD Policy"
                }
            ]
        }
    },
    "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}"
}

Changelog

VersionDetailsKibana version(s)

0.1.0

Enhancement View pull request
Initial draft of the package

—

On this page