Integrator
The Integrator is a high-throughput data forwarding engine that receives monitoring data and dispatches it to third-party systems and notification channels.
Overview
| Property | Value |
|---|---|
| Service name | MugnsoftIntegrator |
| Default port | 8052 |
| Configuration file | integrator.json |
| Version | v4.0.0 |
| Architecture | Worker pool with configurable concurrency |
Service Management
CLI Commands
# Install as service and register with the Webserver
integrator install <webserver_ip>:<port>
# Re-register with the Webserver
integrator register <webserver_ip>:<port>
# Migrate to a new Webserver
integrator migrate <webserver_ip>:<port> <jwt_token>
# Start / Stop / Restart
integrator start
integrator stop
integrator restart
# Run in foreground (Docker or debugging)
integrator run
# Remove the service
integrator uninstall
# Display help
integrator help
Configuration
Core Settings
{
"name": "integrator1",
"port": "8052",
"logLevel": "info",
"nbworker": "4",
"queuesize": "10000"
}
| Field | Description | Default |
|---|---|---|
name |
Unique integrator identifier | required |
port |
API listening port | "8052" |
logLevel |
debug, info, warn, error |
"info" |
nbworker |
Number of worker goroutines | "4" |
queuesize |
Task queue capacity | "10000" |
backupInterval |
Hours between KV store backups | 24 |
nbDaysBackup |
Days to keep backup files | 336 |
Directory Structure
<install_dir>/
├── integrator(.exe) # Executable
├── integrator.json # Service configuration
├── config/
│ ├── sec/ # RSA keys for JWT signing
│ └── ssl/ # TLS certificates
│ ├── certificates/
│ └── private/
├── dbs/ # embedded key-value databases
│ ├── integrator.db # Main KV store (settings, users, JWT)
│ ├── event.db # Incoming monitor data cache (for pull integrations)
│ ├── metrics.db # System metrics (CPU, memory, uptime)
│ └── backup/ # Automated backups
├── log/ # Rotated log files
├── data/ # CSV/JSON data exports
├── notif_buffer/ # Disk-backed retry queue for failed notifications
└── scripts/ # Custom alert scripts
Worker Pool Architecture
The Integrator uses a producer-consumer pattern for high-throughput data processing:
HTTP Handler (producer) Workers (consumers)
| |
|-- parse JSON, create Task --> |
|-- enqueue with 5s timeout --> [Queue] |
|-- return HTTP 200 immediately |
| +--> Worker 1 --> process + forward
| +--> Worker 2 --> process + forward
| +--> Worker 3 --> process + forward
| +--> Worker 4 --> process + forward
Key characteristics:
- Non-blocking: HTTP handlers return immediately after queueing
- Configurable workers: Set via
nbworker(default: 4) - Queue capacity: Set via
queuesize(default: 10,000 tasks) - Graceful reconfiguration: Workers drain the queue before restarting with new settings
Cross-Agent Correlation Engine
The Integrator includes an optional correlation engine that performs lightweight root-cause analysis. When a monitor breaches, the engine checks whether an upstream monitor on the same probe already breached within a configurable time window. If so, it logs a root-cause hint instead of treating every symptom as an unrelated alert.
correlationEnabled (see below). It runs in a fire-and-forget goroutine and never adds latency to the alert path.
Example
Without correlation, a single failing host produces three independent alerts:
22:48 disco/agent on probe-prod-01 → CRITICAL (agent unreachable)
22:50 url/shop-frontend on probe-prod-01 → ERROR (connection refused)
22:50 api/checkout-api on probe-prod-01 → ERROR (connection refused)
With correlation enabled, the downstream failures are linked back to the earliest breach:
[RCA] url_shop-frontend_probe-prod-01 — [Correlated: disco/agent on probe-prod-01 breached 2m ago — possible root cause]
[RCA] api_checkout-api_probe-prod-01 — [Correlated: disco/agent on probe-prod-01 breached 2m ago — possible root cause]
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
correlationEnabled |
"true" / "false" |
"false" |
Master switch — opt-in |
correlationWindowMinutes |
string (integer) | "10" |
How far back to look for upstream breaches |
These can be set two ways:
integrator.json— edit the file in the install directory (persists across restarts).- Live from the Webserver UI — go to Settings → Integrator → [your integrator]. The Webserver pushes the values to the Integrator’s
/setsettingendpoint and the engine reconfigures immediately, no restart required.
Causal model
The engine uses a fixed dependency graph defining which monitor type can be the upstream cause of another:
| Downstream type | Possible upstream cause |
|---|---|
url |
db, disco |
api |
db, disco |
db |
disco |
disco |
(root — never correlated downstream) |
When a url monitor breaches, the engine looks for a prior db or disco breach on the same probe; a db breach looks for a prior disco breach. The monitor types ping, tcp, nslookup, and app are not in the model and are never correlated.
probe field in the payload). Two monitors correlate only when the same probe executed them and they breach in causal order within the window.
How it works
non-OK result arrives (url / api / db / disco)
│
▼
recordRecentEvent() ──► in-memory sliding window
│ (capped at 500 entries, RWMutex-protected)
▼
correlateEvent()
│ 1. look up upstream types in the causal model
│ 2. scan the window for same-probe, different-monitor,
│ in-window, upstream-type breaches
│ 3. pick the EARLIEST match (most likely root cause)
▼
log "[RCA] … [Correlated: …]" at INFO level
Only non-OK statuses are recorded. A cron job (purgeOldRecentEvents, every minute) removes entries older than correlationWindowMinutes; the window is also hard-capped at 500 entries.
Recommended window
| Environment | correlationWindowMinutes |
|---|---|
| Fast (monitors every 1 min) | 5 |
| Standard (every 1–5 min) | 10 (default) |
| Slow / batch (every 5–15 min) | 20–30 |
Set the window to roughly 2× the longest monitor interval on the probe so an upstream breach is recorded before downstream monitors fire.
Current limitations
| Limitation | Detail |
|---|---|
| Same probe only | Cross-probe correlation is not detected |
| Earliest breach wins | No confidence scoring — the first upstream breach is reported |
| Log only | The hint is written to the log; it does not suppress alerts or enrich emails/Slack/Teams |
| Four types hooked | Only url, api, db, disco results enter the correlation window |
Supported Integrations
Push Integrations (Integrator sends data outbound)
InfluxDB (v1.x / v2.x / v3.x)
{
"influxDBEnabled": "true",
"influxDBVersion": "2.x",
"influxDBServer": "influxdb.example.com",
"influxDBPort": "8086",
"influxDBOrg": "myorg",
"influxDBBucket": "mugnsoft",
"influxDBToken": "your-token",
"influxDBSSL": "true"
}
Data is sent in line protocol format:
eumResponseTime,name=MyScenario,type=eum,status=NORMAL,location=Paris responseTime=125.5,statusInt=0 1234567890000000000
Features: connection pooling, retry logic (2 retries, 5s wait), SSL support.
Splunk (HTTP Event Collector)
{
"splunkEnabled": "true",
"splunkCollectorServer": "splunk.example.com",
"splunkCollectorPort": "8088",
"splunkAuthorizationToken": "your-hec-token",
"splunkIndex": "mugnsoft",
"splunkSSL": "true"
}
Data is sent as JSON events to the Splunk HEC endpoint.
Elasticsearch
{
"elasticEnabled": "true",
"elasticServer": "elastic.example.com",
"elasticPort": "9200",
"elasticUser": "elastic",
"elasticPwd": "password",
"elasticSSL": "true"
}
Data is sent via the Bulk API (_bulk endpoint) as JSON documents.
Kafka
{
"kafkaEnabled": "true",
"kafkaBrokers": "broker1:9092,broker2:9092",
"kafkaTopic": "mugnsoft-metrics",
"kafkaTLS": "true",
"kafkaSASLMechanism": "SCRAM-SHA256",
"kafkaSASLUser": "user",
"kafkaSASLPwd": "password"
}
Supports: TLS with custom CA/cert, SASL authentication (PLAIN, SCRAM-SHA256, SCRAM-SHA512), connection pooling.
Canopsis
{
"canopsisEnabled": "true",
"canopsisServer": "canopsis.example.com",
"canopsisPort": "8082",
"canopsisUser": "root",
"canopsisPwd": "password",
"canopsisSSL": "false"
}
ServiceNow
{
"serviceNowEnabled": "true",
"serviceNowServer": "dev12345.service-now.com",
"serviceNowPort": "443",
"serviceNowUser": "mugnsoft.integration",
"serviceNowPwd": "password",
"serviceNowSSL": "true",
"serviceNowResolvedState": "6",
"serviceNowCloseCode": "Resolved by caller"
}
Unlike the other push targets, ServiceNow follows the full incident lifecycle: it opens an incident when a monitor breaches and auto-resolves it when the monitor recovers. Incidents are correlated through the ServiceNow correlation_id field, so resolve works even across Integrator restarts. Actions are taken only on a confirmed status change, so repeated non-OK polls never open duplicate incidents. Auto-resolve respects ITSM ownership: an incident a human has already taken (assigned / past New) is left open with a recovery note rather than being closed automatically.
GLPI
{
"glpiEnabled": "true",
"glpiServer": "glpi.example.com",
"glpiPort": "443",
"glpiUser": "mugnsoft.integration",
"glpiPwd": "password",
"glpiAppToken": "app-token",
"glpiSSL": "true",
"glpiSolvedStatus": "5"
}
Like ServiceNow, GLPI follows the full ticket lifecycle: it opens a ticket when a monitor breaches and auto-resolves it when the monitor recovers. GLPI has no native correlation field, so the open ticket is located through an embedded key stamped into the ticket title — resolve therefore works even across Integrator restarts. Actions are taken only on a confirmed status change, so repeated non-OK polls never open duplicate tickets. Auto-resolve respects ITSM ownership: a ticket a human has already taken (assigned / processing / pending) is left open with a recovery follow-up rather than being closed automatically. Authentication is HTTP Basic against the GLPI REST API, with an optional App-Token when the GLPI API client requires one.
Jira (Cloud)
{
"jiraEnabled": "true",
"jiraServer": "your-domain.atlassian.net",
"jiraPort": "443",
"jiraUser": "you@example.com",
"jiraPwd": "api-token",
"jiraSSL": "true",
"jiraProjectKey": "OPS",
"jiraIssueType": "Bug",
"jiraResolveTransition": "Done"
}
Like ServiceNow, Jira follows the full issue lifecycle: it opens an issue when a monitor breaches and auto-resolves it when the monitor recovers. Jira has no native correlation field, so the open issue is located through a sanitized label (mugnsoft-<type>-<name>-<probe>) matched server-side with an exact JQL query — resolve therefore works even across Integrator restarts. Jira has no direct status-set, so resolve is a workflow transition looked up by name (jiraResolveTransition, default Done). Auto-resolve respects ITSM ownership: an issue a human has already taken (assigned / In Progress) is left open with a recovery comment rather than being transitioned. Authentication is HTTP Basic with the account email and an API token (Jira Cloud, REST API v3, ADF descriptions).
Pull Integrations (Third-party queries the Integrator)
Zabbix
{
"zabbixEnabled": "true",
"zabbixServer": "zabbix.example.com",
"zabbixPort": "443",
"zabbixAuthType": "token",
"zabbixToken": "your-api-token",
"zabbixVersion": "6.x",
"zabbixSSL": "true"
}
Zabbix retrieves data by querying the Integrator’s REST API:
GET /integrator/{bucket}/allV
Data is cached in the Integrator’s embedded key-value store with configurable TTL.
Data Export
| Format | Setting | Description |
|---|---|---|
| CSV | send2CSVEnabled |
Export to local CSV files in data/ |
| JSON | send2JSONEnabled |
Export to local JSON files in data/ |
Data Reception Endpoints
The Integrator exposes type-specific endpoints for receiving monitoring data:
| Endpoint | Monitor Type |
|---|---|
POST /integrator/data2integrator |
EUM (End User Monitoring) |
POST /integrator/data2integratorApp |
Application monitoring |
POST /integrator/data2integratorApi |
API monitoring |
POST /integrator/data2integratorUrl |
URL/HTTP monitoring |
POST /integrator/data2integratorTcp |
TCP monitoring |
POST /integrator/data2integratorUdp |
UDP monitoring |
POST /integrator/data2integratorPing |
Ping monitoring |
POST /integrator/data2integratorNslookup |
DNS monitoring |
POST /integrator/db/data2integrator2 |
Database monitoring |
POST /integrator/sys/data2integrator2 |
System metrics |
POST /integrator/snmp/data2integrator2 |
SNMP monitoring |
POST /integrator/wmi/data2integrator2 |
WMI monitoring (Windows) |
POST /integrator/data2integratorDisco |
Discovery agent data |
Incoming Data Payload
Each payload contains:
{
"name": "My Monitor",
"shortname": "mymon",
"probe": "probe1",
"monType": "eum",
"timestampEpoch": 1234567890,
"hostname": "target-host",
"status": "NORMAL",
"statusInt": "0",
"location": "Paris",
"value": 125.5,
"transactions": { "Login": 45.2, "Search": 80.3 },
"dnsLookup": "5.2",
"tcpConnTime": "12.1",
"tlsHandshake": "35.4",
"serverTime": "52.8",
"responseTime": "125.5",
"emailR": "ops@example.com",
"emailOnF": true,
"emailOnSC": true,
"resSC": "status_has_changed",
"alerting": "true"
}
Alerting
The Integrator handles centralized alerting when monitors are linked to it.
Notification Channels
| Channel | Configuration |
|---|---|
| SMTP with TLS, HTML formatted with inline logo, color-coded status | |
| Slack | Block kit formatting, emoji indicators, configurable channel |
| Microsoft Teams | Adaptive card format, color-coded, webhook-based |
| PagerDuty | Incident triggering via API |
| Custom Scripts | Shell scripts in scripts/ directory, 30s timeout, path traversal protection |
Alert Triggers
| Trigger | Description |
|---|---|
emailOnF / slackOnF / teamsOnF / pdOnF / scriptOnF |
Alert on failure |
emailOnSC / slackOnSC / teamsOnSC / pdOnSC / scriptOnSC |
Alert on status change |
Status Colors
| Status | Color | Hex |
|---|---|---|
| NORMAL/OK | Green | #5cb85c |
| MINOR | Yellow | #D5D94F |
| MAJOR | Orange | #D9984F |
| CRITICAL | Red | #d9534f |
| CONFIG | Blue | #428bca |
| TIMEOUT | Gray | #E1DFDF |
| EXCEPTION | Orange | #faa05a |
| ERROR | Dark Red | #992A26 |
Notification Buffer (Reliable Delivery)
If a notification cannot be delivered — the SMTP server is down, Slack returns an error, a webhook times out — the Integrator does not drop it. The failed notification is written to disk and retried by a background worker.
| Property | Value |
|---|---|
| Buffer directory | ./notif_buffer/ (one JSON file per failed notification) |
| Channels buffered | Email, Slack, Teams, PagerDuty |
| Flush interval | Every 30 seconds |
| Max retries | 3 attempts per notification |
| Buffer capacity | notifBufferSize (default 500); oldest dropped when full |
Each buffered item records the channel, monitor identity, status, message, recipient, creation time, and attempt count. The flush worker is started at boot (initNotifBuffer) and stopped gracefully on shutdown. This guarantees that a transient outage in a notification channel never causes a lost alert, as long as the channel recovers within the retry budget.
REST API
Authentication
| Method | Path | Description |
|---|---|---|
| POST | /api/auth |
Login (JWT 15min) |
| POST | /loginComponent |
Component login (24h) |
| POST | /loginComponent1Year |
Long-lived token (1 year) |
| POST | /loginComponent15Years |
Extended token (15 years) |
| GET | /refresh_token |
Refresh JWT |
Management
| Method | Path | Description |
|---|---|---|
| GET | /api/setting |
Get configuration |
| PATCH | /api/updateSetting |
Update configuration |
| POST | /backupDatabase |
Manual KV store backup |
| POST | /reinitDatabase |
Reset databases |
| POST | /testIntegration |
Test integration connectivity |
Data Access
| Method | Path | Description |
|---|---|---|
| GET | /integrator/{bucket}/allV |
All values in bucket |
| GET | /integrator/{bucket}/allK |
All keys in bucket |
| GET | /integrator/{bucket}/allKV |
All key-value pairs |
| GET | /v1/db/{dbname}/bucket/{bucket}/key/{key} |
Specific key lookup |
| POST | /integrator/events |
Query data by tags/apps |
Users
| Method | Path | Description |
|---|---|---|
| GET | /api/users |
List users |
| POST | /api/users |
Create user |
| PATCH | /api/users |
Update user |
| DELETE | /api/users/{username} |
Delete user |
System
| Method | Path | Description |
|---|---|---|
| GET | /ping |
Health check |
| GET | /uptime |
Service uptime |
| GET | /api/metrics |
System metrics (CPU, memory) |
| GET | /docs/* |
Swagger UI |
Connection Pooling
The Integrator maintains connection pools for outbound integrations:
| Integration | Pool Type | Configuration |
|---|---|---|
| InfluxDB v1/v2 | HTTP client pool | Reusable connections |
| InfluxDB v3 | Dedicated pool | Separate implementation |
| Kafka | Writer pool | SASL/TLS-aware, config caching |
Error Handling
- Retry logic: 2 retries with 5-second wait between attempts
- Non-blocking: Failed deliveries are logged but don’t block task processing
- Status verification: Checks HTTP status codes (200/204 for success)
- Graceful shutdown: Workers finish current tasks before stopping
See also
- Integrator Configuration — complete settings reference
- Integrator HTTP API — full API documentation
- Integration guides — step-by-step setup for Splunk, InfluxDB, Elastic, Zabbix, and Grafana
- Platform Overview — how the Integrator fits into the architecture
- Data Flow — monitoring and integration data flow diagrams