Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

20210302 events queues stores #186

Merged
merged 21 commits into from
Mar 7, 2021
Merged

20210302 events queues stores #186

merged 21 commits into from
Mar 7, 2021

Conversation

np5
Copy link
Member

@np5 np5 commented Mar 7, 2021

Update the event pipeline.

  • Better AWS SNS/SQS queues with multiple SNS publisher threads, and support for batch consumers
  • Add bulk_store method on the Elasticsearch store to speed up the indexing of the events
  • Change the machine and probe events store API to increase the compatibility with the stores. For example, the pagination of events does not make really sense, especially going back to the previous page of more recent events.
  • More granular use of the different store capabilities. Some stores do not implement some interfaces, and it is reflected in the UI. Zentral can now run with a principal store only offering links to its own UI for example.
  • BREAKING CHANGE The probes matching an event are now serialized in that event. This way, the probe events can be fetched from the stores, even if the filtering done in the probes cannot be reproduced in the search queries (no full text and full object indexing). The events are simply fetched using the probe ID. But that also means that inactive probes cannot be used anymore to look at the past events, because those events in the stores do not contain a reference to these probes. The probe events view will only show events that were a match when the probe was active.
  • The machine event metadata is serialized during the event enrichment. The process and store pipeline steps can now run without querying the database.

np5 added 21 commits March 7, 2021 10:37
@np5
AWS SNS/SQS queues update
6e0bd44 
Better logging
Multiple SNS send thread in EnrichWorker
Better event acknowledging in ConsumerProducer
@np5
Add ES bulk_store method
545eb26 
Also, avoid serializing and deserializing event. The machine metadata
should already be in the received serialized event.
@np5
Add AWS/SNS/SQS BatchConsumer
a8dfc2a 
Use it with compatible stores
@np5
Better error handling in AWS SNS/SQS workers
8af7f06 
Also: use exit status if available in the run_worker management command.
@np5
Refactor event stores
b5dd57e 
Do not paginate, but fetch more events
@np5
Serialize machine metadata in enrich worker
cf8a16d
@np5
Add machine events url
aaab0f1
@np5
Add elasticsearch machine events URL
d820e1f
@np5
Update Splunk event store
776a1c5
@np5
Support stores with only link to machine events
acf1229
@np5
Add multiple store links to machine events view
998b65a
@np5
Remove postgresql event store
bb769bf 
It was never really good…
@np5
Fix event stores tests
44cf0a1
@np5
Add Source & Service to datadog event filter
29ec536
@np5
Remove legacy extra_probe_checks method
b28474c
@np5
Add probes to event metadata at enrichment
1be0e09 
The matching probes are added during the event enrichment. They are
serialized, and used during the event processing. They can be also
stored.
@np5
Avoid error when unknown probe event type
bd2b7dc
@np5
Refactor probe events
f4d71e1 
Use the serialized probe information to fetch the probe events
Replace pagination with "search after" continuation
Add time range and event type filters
Add links to event stores
Make probe dashboard and probe events optional
@np5
Probe events with datadog
70a4c7a
@np5
Add Splunk probe events URL
36a241c
@np5
Temporary fix the Osquery tests
3280a29
@np5 np5 merged commit 3280a29 into main Mar 7, 2021
@np5
Copy link
Member Author

np5 commented Mar 7, 2021
edited
Loading

WARNING the new code used to only remove an event from a SQS queue if the generated events have been successfully published is maybe too much, and needs to be tested at scale. It could be removed, if loosing some events in case a SQS queue or SNS topic is unavailable is acceptable.

@np5 np5 deleted the 20210302-events-queues-stores branch March 7, 2021 10:06
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@np5