Integrator

The Integrator is a high-throughput data forwarding engine that receives monitoring data and dispatches it to third-party systems and notification channels.

Overview

Property Value
Service name MugnsoftIntegrator
Default port 8052
Configuration file integrator.json
Version v4.0.0
Architecture Worker pool with configurable concurrency

Service Management

CLI Commands

# Install as service and register with the Webserver
integrator install <webserver_ip>:<port>

# Re-register with the Webserver
integrator register <webserver_ip>:<port>

# Migrate to a new Webserver
integrator migrate <webserver_ip>:<port> <jwt_token>

# Start / Stop / Restart
integrator start
integrator stop
integrator restart

# Run in foreground (Docker or debugging)
integrator run

# Remove the service
integrator uninstall

# Display help
integrator help

Configuration

Core Settings

{
  "name": "integrator1",
  "port": "8052",
  "logLevel": "info",
  "nbworker": "4",
  "queuesize": "10000"
}
Field Description Default
name Unique integrator identifier required
port API listening port "8052"
logLevel debug, info, warn, error "info"
nbworker Number of worker goroutines "4"
queuesize Task queue capacity "10000"
backupInterval Hours between KV store backups 24
nbDaysBackup Days to keep backup files 336

Directory Structure

<install_dir>/
├── integrator(.exe)         # Executable
├── integrator.json          # Service configuration
├── config/
│   ├── sec/                 # RSA keys for JWT signing
│   └── ssl/                 # TLS certificates
│       ├── certificates/
│       └── private/
├── dbs/                     # embedded key-value databases
│   ├── integrator.db        # Main KV store (settings, users, JWT)
│   ├── event.db             # Incoming monitor data cache (for pull integrations)
│   ├── metrics.db           # System metrics (CPU, memory, uptime)
│   └── backup/              # Automated backups
├── log/                     # Rotated log files
├── data/                    # CSV/JSON data exports
├── notif_buffer/            # Disk-backed retry queue for failed notifications
└── scripts/                 # Custom alert scripts

Worker Pool Architecture

The Integrator uses a producer-consumer pattern for high-throughput data processing:

HTTP Handler (producer)                   Workers (consumers)
     |                                         |
     |-- parse JSON, create Task -->           |
     |-- enqueue with 5s timeout -->  [Queue]  |
     |-- return HTTP 200 immediately           |
     |                                    +--> Worker 1 --> process + forward
     |                                    +--> Worker 2 --> process + forward
     |                                    +--> Worker 3 --> process + forward
     |                                    +--> Worker 4 --> process + forward

Key characteristics:

  • Non-blocking: HTTP handlers return immediately after queueing
  • Configurable workers: Set via nbworker (default: 4)
  • Queue capacity: Set via queuesize (default: 10,000 tasks)
  • Graceful reconfiguration: Workers drain the queue before restarting with new settings

Cross-Agent Correlation Engine

The Integrator includes an optional correlation engine that performs lightweight root-cause analysis. When a monitor breaches, the engine checks whether an upstream monitor on the same probe already breached within a configurable time window. If so, it logs a root-cause hint instead of treating every symptom as an unrelated alert.

Opt-in feature. The correlation engine is disabled by default. Enable it with correlationEnabled (see below). It runs in a fire-and-forget goroutine and never adds latency to the alert path.

Example

Without correlation, a single failing host produces three independent alerts:

22:48  disco/agent      on probe-prod-01  → CRITICAL  (agent unreachable)
22:50  url/shop-frontend on probe-prod-01  → ERROR     (connection refused)
22:50  api/checkout-api  on probe-prod-01  → ERROR     (connection refused)

With correlation enabled, the downstream failures are linked back to the earliest breach:

[RCA] url_shop-frontend_probe-prod-01 — [Correlated: disco/agent on probe-prod-01 breached 2m ago — possible root cause]
[RCA] api_checkout-api_probe-prod-01  — [Correlated: disco/agent on probe-prod-01 breached 2m ago — possible root cause]

Configuration

Parameter Type Default Description
correlationEnabled "true" / "false" "false" Master switch — opt-in
correlationWindowMinutes string (integer) "10" How far back to look for upstream breaches

These can be set two ways:

  1. integrator.json — edit the file in the install directory (persists across restarts).
  2. Live from the Webserver UI — go to Settings → Integrator → [your integrator]. The Webserver pushes the values to the Integrator’s /setsetting endpoint and the engine reconfigures immediately, no restart required.
Integrator correlation settings: correlationEnabled and correlationWindowMinutes fields

Causal model

The engine uses a fixed dependency graph defining which monitor type can be the upstream cause of another:

Downstream type Possible upstream cause
url db, disco
api db, disco
db disco
disco (root — never correlated downstream)

When a url monitor breaches, the engine looks for a prior db or disco breach on the same probe; a db breach looks for a prior disco breach. The monitor types ping, tcp, nslookup, and app are not in the model and are never correlated.

Scope is the probe, not the target host. Events are grouped by the probe agent that ran the check (the probe field in the payload). Two monitors correlate only when the same probe executed them and they breach in causal order within the window.

How it works

non-OK result arrives (url / api / db / disco)
        │
        ▼
recordRecentEvent()  ──►  in-memory sliding window
        │                  (capped at 500 entries, RWMutex-protected)
        ▼
correlateEvent()
        │  1. look up upstream types in the causal model
        │  2. scan the window for same-probe, different-monitor,
        │     in-window, upstream-type breaches
        │  3. pick the EARLIEST match (most likely root cause)
        ▼
log "[RCA] … [Correlated: …]" at INFO level

Only non-OK statuses are recorded. A cron job (purgeOldRecentEvents, every minute) removes entries older than correlationWindowMinutes; the window is also hard-capped at 500 entries.

Environment correlationWindowMinutes
Fast (monitors every 1 min) 5
Standard (every 1–5 min) 10 (default)
Slow / batch (every 5–15 min) 2030

Set the window to roughly 2× the longest monitor interval on the probe so an upstream breach is recorded before downstream monitors fire.

Current limitations

Limitation Detail
Same probe only Cross-probe correlation is not detected
Earliest breach wins No confidence scoring — the first upstream breach is reported
Log only The hint is written to the log; it does not suppress alerts or enrich emails/Slack/Teams
Four types hooked Only url, api, db, disco results enter the correlation window

Supported Integrations

Push Integrations (Integrator sends data outbound)

InfluxDB (v1.x / v2.x / v3.x)

{
  "influxDBEnabled": "true",
  "influxDBVersion": "2.x",
  "influxDBServer": "influxdb.example.com",
  "influxDBPort": "8086",
  "influxDBOrg": "myorg",
  "influxDBBucket": "mugnsoft",
  "influxDBToken": "your-token",
  "influxDBSSL": "true"
}

Data is sent in line protocol format:

eumResponseTime,name=MyScenario,type=eum,status=NORMAL,location=Paris responseTime=125.5,statusInt=0 1234567890000000000

Features: connection pooling, retry logic (2 retries, 5s wait), SSL support.

Splunk (HTTP Event Collector)

{
  "splunkEnabled": "true",
  "splunkCollectorServer": "splunk.example.com",
  "splunkCollectorPort": "8088",
  "splunkAuthorizationToken": "your-hec-token",
  "splunkIndex": "mugnsoft",
  "splunkSSL": "true"
}

Data is sent as JSON events to the Splunk HEC endpoint.

Elasticsearch

{
  "elasticEnabled": "true",
  "elasticServer": "elastic.example.com",
  "elasticPort": "9200",
  "elasticUser": "elastic",
  "elasticPwd": "password",
  "elasticSSL": "true"
}

Data is sent via the Bulk API (_bulk endpoint) as JSON documents.

Kafka

{
  "kafkaEnabled": "true",
  "kafkaBrokers": "broker1:9092,broker2:9092",
  "kafkaTopic": "mugnsoft-metrics",
  "kafkaTLS": "true",
  "kafkaSASLMechanism": "SCRAM-SHA256",
  "kafkaSASLUser": "user",
  "kafkaSASLPwd": "password"
}

Supports: TLS with custom CA/cert, SASL authentication (PLAIN, SCRAM-SHA256, SCRAM-SHA512), connection pooling.

Canopsis

{
  "canopsisEnabled": "true",
  "canopsisServer": "canopsis.example.com",
  "canopsisPort": "8082",
  "canopsisUser": "root",
  "canopsisPwd": "password",
  "canopsisSSL": "false"
}

ServiceNow

{
  "serviceNowEnabled": "true",
  "serviceNowServer": "dev12345.service-now.com",
  "serviceNowPort": "443",
  "serviceNowUser": "mugnsoft.integration",
  "serviceNowPwd": "password",
  "serviceNowSSL": "true",
  "serviceNowResolvedState": "6",
  "serviceNowCloseCode": "Resolved by caller"
}

Unlike the other push targets, ServiceNow follows the full incident lifecycle: it opens an incident when a monitor breaches and auto-resolves it when the monitor recovers. Incidents are correlated through the ServiceNow correlation_id field, so resolve works even across Integrator restarts. Actions are taken only on a confirmed status change, so repeated non-OK polls never open duplicate incidents. Auto-resolve respects ITSM ownership: an incident a human has already taken (assigned / past New) is left open with a recovery note rather than being closed automatically.

GLPI

{
  "glpiEnabled": "true",
  "glpiServer": "glpi.example.com",
  "glpiPort": "443",
  "glpiUser": "mugnsoft.integration",
  "glpiPwd": "password",
  "glpiAppToken": "app-token",
  "glpiSSL": "true",
  "glpiSolvedStatus": "5"
}

Like ServiceNow, GLPI follows the full ticket lifecycle: it opens a ticket when a monitor breaches and auto-resolves it when the monitor recovers. GLPI has no native correlation field, so the open ticket is located through an embedded key stamped into the ticket title — resolve therefore works even across Integrator restarts. Actions are taken only on a confirmed status change, so repeated non-OK polls never open duplicate tickets. Auto-resolve respects ITSM ownership: a ticket a human has already taken (assigned / processing / pending) is left open with a recovery follow-up rather than being closed automatically. Authentication is HTTP Basic against the GLPI REST API, with an optional App-Token when the GLPI API client requires one.

Jira (Cloud)

{
  "jiraEnabled": "true",
  "jiraServer": "your-domain.atlassian.net",
  "jiraPort": "443",
  "jiraUser": "you@example.com",
  "jiraPwd": "api-token",
  "jiraSSL": "true",
  "jiraProjectKey": "OPS",
  "jiraIssueType": "Bug",
  "jiraResolveTransition": "Done"
}

Like ServiceNow, Jira follows the full issue lifecycle: it opens an issue when a monitor breaches and auto-resolves it when the monitor recovers. Jira has no native correlation field, so the open issue is located through a sanitized label (mugnsoft-<type>-<name>-<probe>) matched server-side with an exact JQL query — resolve therefore works even across Integrator restarts. Jira has no direct status-set, so resolve is a workflow transition looked up by name (jiraResolveTransition, default Done). Auto-resolve respects ITSM ownership: an issue a human has already taken (assigned / In Progress) is left open with a recovery comment rather than being transitioned. Authentication is HTTP Basic with the account email and an API token (Jira Cloud, REST API v3, ADF descriptions).

Pull Integrations (Third-party queries the Integrator)

Zabbix

{
  "zabbixEnabled": "true",
  "zabbixServer": "zabbix.example.com",
  "zabbixPort": "443",
  "zabbixAuthType": "token",
  "zabbixToken": "your-api-token",
  "zabbixVersion": "6.x",
  "zabbixSSL": "true"
}

Zabbix retrieves data by querying the Integrator’s REST API:

GET /integrator/{bucket}/allV

Data is cached in the Integrator’s embedded key-value store with configurable TTL.

Data Export

Format Setting Description
CSV send2CSVEnabled Export to local CSV files in data/
JSON send2JSONEnabled Export to local JSON files in data/

Data Reception Endpoints

The Integrator exposes type-specific endpoints for receiving monitoring data:

Endpoint Monitor Type
POST /integrator/data2integrator EUM (End User Monitoring)
POST /integrator/data2integratorApp Application monitoring
POST /integrator/data2integratorApi API monitoring
POST /integrator/data2integratorUrl URL/HTTP monitoring
POST /integrator/data2integratorTcp TCP monitoring
POST /integrator/data2integratorUdp UDP monitoring
POST /integrator/data2integratorPing Ping monitoring
POST /integrator/data2integratorNslookup DNS monitoring
POST /integrator/db/data2integrator2 Database monitoring
POST /integrator/sys/data2integrator2 System metrics
POST /integrator/snmp/data2integrator2 SNMP monitoring
POST /integrator/wmi/data2integrator2 WMI monitoring (Windows)
POST /integrator/data2integratorDisco Discovery agent data

Incoming Data Payload

Each payload contains:

{
  "name": "My Monitor",
  "shortname": "mymon",
  "probe": "probe1",
  "monType": "eum",
  "timestampEpoch": 1234567890,
  "hostname": "target-host",
  "status": "NORMAL",
  "statusInt": "0",
  "location": "Paris",
  "value": 125.5,
  "transactions": { "Login": 45.2, "Search": 80.3 },
  "dnsLookup": "5.2",
  "tcpConnTime": "12.1",
  "tlsHandshake": "35.4",
  "serverTime": "52.8",
  "responseTime": "125.5",
  "emailR": "ops@example.com",
  "emailOnF": true,
  "emailOnSC": true,
  "resSC": "status_has_changed",
  "alerting": "true"
}

Alerting

The Integrator handles centralized alerting when monitors are linked to it.

Notification Channels

Channel Configuration
Email SMTP with TLS, HTML formatted with inline logo, color-coded status
Slack Block kit formatting, emoji indicators, configurable channel
Microsoft Teams Adaptive card format, color-coded, webhook-based
PagerDuty Incident triggering via API
Custom Scripts Shell scripts in scripts/ directory, 30s timeout, path traversal protection

Alert Triggers

Trigger Description
emailOnF / slackOnF / teamsOnF / pdOnF / scriptOnF Alert on failure
emailOnSC / slackOnSC / teamsOnSC / pdOnSC / scriptOnSC Alert on status change

Status Colors

Status Color Hex
NORMAL/OK Green #5cb85c
MINOR Yellow #D5D94F
MAJOR Orange #D9984F
CRITICAL Red #d9534f
CONFIG Blue #428bca
TIMEOUT Gray #E1DFDF
EXCEPTION Orange #faa05a
ERROR Dark Red #992A26

Notification Buffer (Reliable Delivery)

If a notification cannot be delivered — the SMTP server is down, Slack returns an error, a webhook times out — the Integrator does not drop it. The failed notification is written to disk and retried by a background worker.

Property Value
Buffer directory ./notif_buffer/ (one JSON file per failed notification)
Channels buffered Email, Slack, Teams, PagerDuty
Flush interval Every 30 seconds
Max retries 3 attempts per notification
Buffer capacity notifBufferSize (default 500); oldest dropped when full

Each buffered item records the channel, monitor identity, status, message, recipient, creation time, and attempt count. The flush worker is started at boot (initNotifBuffer) and stopped gracefully on shutdown. This guarantees that a transient outage in a notification channel never causes a lost alert, as long as the channel recovers within the retry budget.


REST API

Authentication

Method Path Description
POST /api/auth Login (JWT 15min)
POST /loginComponent Component login (24h)
POST /loginComponent1Year Long-lived token (1 year)
POST /loginComponent15Years Extended token (15 years)
GET /refresh_token Refresh JWT

Management

Method Path Description
GET /api/setting Get configuration
PATCH /api/updateSetting Update configuration
POST /backupDatabase Manual KV store backup
POST /reinitDatabase Reset databases
POST /testIntegration Test integration connectivity

Data Access

Method Path Description
GET /integrator/{bucket}/allV All values in bucket
GET /integrator/{bucket}/allK All keys in bucket
GET /integrator/{bucket}/allKV All key-value pairs
GET /v1/db/{dbname}/bucket/{bucket}/key/{key} Specific key lookup
POST /integrator/events Query data by tags/apps

Users

Method Path Description
GET /api/users List users
POST /api/users Create user
PATCH /api/users Update user
DELETE /api/users/{username} Delete user

System

Method Path Description
GET /ping Health check
GET /uptime Service uptime
GET /api/metrics System metrics (CPU, memory)
GET /docs/* Swagger UI

Connection Pooling

The Integrator maintains connection pools for outbound integrations:

Integration Pool Type Configuration
InfluxDB v1/v2 HTTP client pool Reusable connections
InfluxDB v3 Dedicated pool Separate implementation
Kafka Writer pool SASL/TLS-aware, config caching

Error Handling

  • Retry logic: 2 retries with 5-second wait between attempts
  • Non-blocking: Failed deliveries are logged but don’t block task processing
  • Status verification: Checks HTTP status codes (200/204 for success)
  • Graceful shutdown: Workers finish current tasks before stopping

See also

Translations