User Guide

Add a Node

A Node should be added in order to create Tornado configuration:

  1. Switch to Edit mode in the top right corner of your layout:

    When switching to Edit mode, a new draft is created on the fly if none is present, which is an exact copy of the running Tornado configuration. If not present in the draft, a root node of type Filter will be automatically added.

  2. Click on the “Add” button in the top right corner and select the parent node to which you want to add a new node - a Filter or a Ruleset.

  3. Optionally, click on the icon with the three dots on each node that from now on will be called the overflow menu

    ../../../_images/new-filter-node.png

    Fig. 155 Adding a node

    All nodes at the same level are ordered alphabetically.

  4. Define Filter node properties:

    • filter name: A unique string value should be only composed of letters, numbers and the “_” (underscore) character; it corresponds to the filename, stripped from its .json extension.

    • description

    • active: A boolean value; if false, the Filter’s children will be ignored.

    • filter: A boolean operator that, when applied to an event, returns true or false. This operator determines whether an Event matches the Filter; consequently, it determines whether an Event will be processed by the Filter’s inner nodes.

    ../../../_images/filter-properties.png

  5. Filter node is using the same set of Constraints in ‘WHERE’ tab as a Ruleset node. Based on your needs, a Filter node can be configured to process events of a particular type, from a particular device within your network, e.g.:

{
  "type": "AND",
  "operators":
    [
      {
        "type": "equals",
        "first": "${event.payload.src_ip}",
        "second": "64.114.133.26"
      }
    ]
}

If needed, you can delete a Node from the overflow menu when in Edit mode.

Filters available by default

The Tornado Processing Tree provides some out of the box Filters, which match all, and only, the Events originated by some given tenant. For more information on tenants in NetEye visit the dedicated page.

These Filters are created at the top level of the Processing Tree, in such a way that it is possible to set up tenant-specific Tornado pipelines.

Given for example a tenant named acme, the matching condition of the Filter for the acme tenant will be defined as:

{
    "type": "equals",
    "first": "${event.metadata.tenant_id}",
    "second": "acme"
}

Keep in mind that these Filters must never be deleted nor modified, because they will be automatically re-created.

Note

NetEye generates one Filter for each tenant, including the default master tenant.