Unomaly organizes incoming data based on the system that sends the data. The system can be the name or IP address of the server, network equipment, application, virtual container, cloud application, or other originating source of the data stream. Each system has a behavioral profile that Unomaly algorithmically derives from its historic data.
Add systems by adding their data
Adding a system to Unomaly means configuring a system to send its data to a Unomaly instance. You can configure the system to forward its logs directly over standard protocol ports, via log shippers, or using third-party log management tools. For more information, see “Data inputs overview”.
When Unomaly receives the data stream
Once Unomaly detects and receives the data stream:
- If the system is a new, previously unseen system, Unomaly adds the system automatically.
- If the new system fits within the license limit, Unomaly starts to analyze and learn the system’s data.
- If the new system exceeds the license limit, Unomaly adds the system as “disabled” and does not analyze the system’s data.
Once Unomaly receives the data stream, it creates and updates behavior profiles for each system and continuously updates a learnings database as it receives more data. You can view all systems in the Systems view.
Training new systems
When Unomaly receives data from a new system, it adds the system automatically in the “Training” state. While the system is in training:
- Unomaly analyzes the data but does not display anomalies or situations for that system and does not generate notifications from that system.
- Unomaly checks that the system has produced data during at least 50% of the last 12 hours (using a 15 minute window). Systems are taken out of training when Unomaly detects 6 hours of continuously normal behavior, which means 6 hours without anomalies. This behavior indicates that Unomaly has learned the baseline for this new system.
The length of time that a system spends in training depends on the volume of log data and the diversity in types of log structures that the system generates. When you add data from similar systems, they will learn from each other and generate less anomalies per log volume.
In general, you can expect training to take approximately two full weeks. But some systems may complete learning sooner. Here are some estimates:
- Linux systems take approximately 2-7 days.
- Windows systems take a bit longer 7-14 days.
- ESXi servers take 5-12 Days.
When training is complete, Unomaly automatically moves the systems into an “Active” state. This means that Unomaly has learned enough about the system’s log data to understand it’s baseline behaviors. Unomaly continues to receive and analyze the streaming data from the systems.
Receiving disabled systems
If the number of systems sending data to Unomaly exceeds the licensed amount, Unomaly adds the system in the “disabled” state. Unomaly does not analyze the data from disabled systems.
If you exceed your licensed limit when adding a new system, you can upgrade your license and then manually enable the disabled system. Or, you can manually disable other systems to stay within your license. See “Add and update licenses” or “Edit system settings” to enable or disable systems.
Did this article help you?
Thank you for the feedback!