// DOCUMENTATION

FLUX EVENT

Intelligent event collection, deduplication, and correlation. Transform raw system events into actionable incidents with automated triage and escalation.

// OVERVIEW

Flux Event is the intelligence layer of the Flux Suite. It sits between your raw infrastructure event streams (syslog, SNMP traps, API webhooks) and your incident management workflow in Flux Notify.

Raw infrastructure environments can generate thousands of events per hour. Flux Event's correlation engine reduces this noise by grouping related events, suppressing duplicates, and only creating actionable incidents when meaningful patterns are detected.

// Typical Flow

Raw Events → Ingestion → Deduplication → Correlation Rules → Auto-Incident in Flux Notify → Notifications via Flux Notify

// KEY CONCEPTS

EVENT vs INCIDENT

An Event is a raw signal from your infrastructure — a syslog line, an SNMP trap, an API webhook. Events are atomic, immutable records. An Incident is a human-meaningful situation requiring action, typically created from one or more correlated events.

CORRELATION WINDOW

Events are grouped within a time window (default: 5 minutes). If multiple events match a correlation rule within the window, they are treated as a single incident rather than generating multiple notifications.

DEDUPLICATION KEY

Each event type has a deduplication key (e.g., hostname + metric name + condition). If the same event arrives multiple times within the dedup window, only the first is processed and the count is incremented.

// EVENT SOURCES

Source	Protocol	Default Port	Format
Syslog	UDP/TCP	514	RFC 3164 / 5424
SNMP Traps	UDP	162	SNMPv2c / v3
REST API	HTTP POST	8083	JSON
Flux Monitor	Internal	—	Internal API
Webhook	HTTP POST	8083	JSON (configurable)
Custom Script	—	—	stdout JSON

// SYSLOG INGESTION

Configure your devices and servers to forward syslog messages to the Flux Event container.

# rsyslog — forward to Flux Event
# /etc/rsyslog.d/flux-event.conf
*.* @flux-event-host:514         # UDP
*.* @@flux-event-host:514        # TCP (reliable)

# Reload rsyslog
systemctl restart rsyslog

# Linux syslog-ng
destination d_flux {
  network("flux-event-host" port(514) transport("tcp"));
};
log { source(s_sys); destination(d_flux); };

// Firewall Note

Ensure UDP/TCP port 514 is open between your monitored hosts and the Flux Event container. Docker Compose exposes this port by default.

// SNMP TRAP INGESTION

# Configure network devices to send traps to Flux Event
# Cisco IOS example:
snmp-server host flux-event-ip version 2c public
snmp-server enable traps

# Juniper JunOS:
set snmp trap-group flux-event targets flux-event-ip
set snmp trap-group flux-event version v2
set snmp trap-group flux-event categories link

SNMP v3 CONFIGURATION

# docker-compose.env
SNMP_V3_USER=fluxuser
SNMP_V3_AUTH_PROTO=SHA
SNMP_V3_AUTH_KEY=your_auth_key_here
SNMP_V3_PRIV_PROTO=AES
SNMP_V3_PRIV_KEY=your_priv_key_here

// CORRELATION RULES

Correlation rules define how raw events are grouped and when incidents should be automatically created. Rules are evaluated in priority order (lower number = higher priority).

{
  "name": "Database Connectivity Failure",
  "priority": 10,
  "enabled": true,
  "conditions": {
    "operator": "AND",
    "filters": [
      { "field": "hostname", "op": "matches", "value": "db-*" },
      { "field": "severity", "op": ">=", "value": "critical" },
      { "field": "message", "op": "contains_any",
        "value": ["connection refused", "max_connections", "too many connections"] }
    ]
  },
  "window_minutes": 5,
  "min_event_count": 2,
  "action": {
    "create_incident": true,
    "incident_severity": "CRITICAL",
    "contact_list": "DBA On-Call",
    "suppress_individual": true
  }
}

// Rule Best Practices

Start with broad rules and narrow them over time using the event history. The "Dry Run" mode lets you test rules against historical events before activating them.

// DEDUPLICATION

Deduplication prevents alert storms by collapsing repeated identical events into a single record with a count. The deduplication key is configurable per source.

Source Type	Default Dedup Key	Default Window
Syslog	hostname + facility + severity + message hash	2 min
SNMP Trap	source IP + OID	5 min
API Event	source + event_type + resource	configurable
Flux Monitor	host + check name + status	15 min

// API REFERENCE

INGEST EVENT

POST /api/v1/events
Content-Type: application/json
X-API-Key: your_api_key

{
  "source": "my-application",
  "hostname": "app-prod-01",
  "severity": "critical",
  "event_type": "application_error",
  "message": "Database connection pool exhausted",
  "tags": { "environment": "production", "team": "backend" },
  "timestamp": "2026-02-24T14:37:00Z"
}

QUERY EVENTS

GET /api/v1/events?severity=critical&from=2026-02-24T00:00:00Z&limit=100
Authorization: Bearer your_api_key

# Response
{
  "total": 47,
  "events": [
    {
      "id": "evt_abc123",
      "source": "syslog",
      "hostname": "db-prod-01",
      "severity": "critical",
      "message": "...",
      "correlated_incident": "INC-0041",
      "received_at": "2026-02-24T14:37:02Z"
    }
  ]
}

// EVENT SCHEMA

Field	Type	Required	Description
`source`	string	YES	Originating system or application name
`hostname`	string	YES	Host that generated the event
`severity`	enum	YES	critical / warning / info / debug
`message`	string	YES	Human-readable event description
`event_type`	string	NO	Structured event category for correlation
`timestamp`	ISO 8601	NO	Defaults to ingest time if omitted
`tags`	object	NO	Key-value metadata for filtering
`raw_payload`	string	NO	Original message for audit purposes