Page Comparison

Table of Contents

minLevel	2
maxLevel	2
type	flat

Overview

Radware's Cloud WAF Service is a web application firewall that provides continuous adaptive web application security protection and full coverage.

Devo collector features

Feature	Details
Allow parallel downloading (`multipod`)	`not allowed`
Running environments	`collector server` `on-premise`
Populated Devo events	`table`
Flattening preprocessing	`no`
Allowed source events obfuscation	`yes`
Requires IP whitelisting	`yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Get User Activity Log List	Customers can monitor changes in their Cloud WAF applications using the Activity log. Any change in the configuration is logged in the Activity Log, including the time and the user that performed the change.	`v1/userActivityLogs/reports/`	`user_activity`	`waf.radware.api.user_activity`	v1.0.0
Get Security Events List	Security events are the events reported by WAF when an attack is detected. This allows user visibility to the protected traffic, refinement of false positives, and detailed explanations of security attacks.	`mgmt/monitor/reporter/reports-ext/APPWALL_REPORTS`	`security_events`	`waf.radware.api.security_event`	v1.0.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source	Collector service	Optional	Flattening details
Get User Activity Log List	`user_activity`	yes	not required
Get Security Events List	`security_events`	yes	not required

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

Info
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details
username	The username for the Radware API. To find out how to get it, see the Vendor Setup guide.
password	The password for the Radware API. To find out how to get it, see the Vendor Setup guide.

Info
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

username

password

token

Status

colour	Green
title	REQUIRED

Status

colour	Green
title	REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro

Rw tab

title	Cloud collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

In the Collector Server GUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

Code Block

{
  "global_overrides": {
    "debug": <debug_status>
  },
  "inputs": {
    "radware_input": {
      "id": "<short_unique_id>",
      "enabled": true,
      “environment”: “<environment_value>”,
      "credentials": {
        "username": "<username_value>",
        "password": "<password_value>",
      },
      "services": {
        "user_activity": {
          "request_period_in_seconds": "<opt_request_period_in_seconds_value>",
          "override_tag": "<opt_override_tag_value>",
          "start_time_in_utc": "<opt_start_time_in_utc_value>"
        },
        "security_events": {
          "request_period_in_seconds": "<opt_request_period_in_seconds_value>",
          "override_tag": "<opt_override_tag_value>",
          "start_time_in_utc": "<opt_start_time_in_utc_value>"
        }
      }
    }
  }
}

Replace the placeholders with your required values following the description table below:

Parameter	Data type	Type	Value range / Format	Details
`<short_unique_id>`	`int`	Mandatory	Minimum Length 5	Use this param to give a unique id to this input service. This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
`<input_status>`	`bool`	Mandatory	false / true	Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
`<override_tag_value>`	`str`	Optional	Devo tag-friendly string (no special characters, spaces, etc.) For more information see Devo Tags.	An optional tag that allows users to override the service default tags.
`<username>`	`str`	Mandatory	Minimum Length 1	The username for the Radware API. To find out how to get it, see the Vendor Setup guide.
`<password>`	`str`	Mandatory	Minimum Length 1	The password for the Radware API. To find out how to get it, see the Vendor Setup guide.
`<environment_value>`	`str`	Optional	Minimum Length 1	This is an optional control parameter that is injected into the events and allows to differentiate the
`<start_time_in_utc_value>`	`str`	Optional	UTC datetime string having datetime string format %Y-%m-%dT%H:%M:%SZ (e.g., “2023-07-11T01:23:01Z”)	This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
`<request_period_in_seconds_value>`	`str`	Optional	Minimum Length 1	Period in seconds used between each data pulling. This value will overwrite the default value (60 seconds).

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block

<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml

Note
Replace `<product_name>` with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Note
Replace `<product_name>` with the proper value.

Editing the config.yaml file

Code Block

globals:
  debug: false
  id: not_used
  name: radware_cwaf_collector
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-us.devo.io
      port: 443
      type: SSL
      chain: chain.crt
      cert: <devo_domain>.crt
      key: <devo_domain>.key

  console_1:
    type: console

inputs:
  radware_input:
    id: <short_unique_id>
    enabled: true
    credentials:
      username: <username_value>
      password: <password_value>
    environment: <environment_value>
    services:
      user_activity:
        request_period_in_seconds: <opt_request_period_in_seconds_value>
        override_tag: <opt_override_tag_value>
        start_time_in_utc: <opt_start_time_in_utc_value>

      security_events:
        request_period_in_seconds: <opt_request_period_in_seconds_value>
        override_tag: <opt_override_tag_value>
        start_time_in_utc: <opt_start_time_in_utc_value>

Info
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the `services` object.

Replace the placeholders with your required values following the description table below:

Parameter	Data type	Type	Value range / Format	Details
`<short_unique_id>`	`int`	Mandatory	Minimum Length 5	Use this param to give a unique id to this input service. This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
`<input_status>`	`bool`	Mandatory	false / true	Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
`<override_tag_value>`	`str`	Optional	Devo tag-friendly string (no special characters, spaces, etc.) For more information see Devo Tags.	An optional tag that allows users to override the service default tags.
`<username>`	`str`	Mandatory	Minimum Length 1	The username for the Radware API. To find out how to get it, see the Vendor Setup guide.
`<password>`	`str`	Mandatory	Minimum Length 1	The password for the Radware API. To find out how to get it, see the Vendor Setup guide.
`<environment_value>`	`str`	Optional	Minimum Length 1	This is an optional control parameter that is injected into the events and allows to differentiate the
`<start_time_in_utc_value>`	`str`	Optional	UTC datetime string having datetime string format %Y-%m-%dT%H:%M:%SZ (e.g., “2023-07-11T01:23:01Z”)	This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
`<request_period_in_seconds_value>`	`str`	Optional	Minimum Length 1	Period in seconds used between each data pulling. This value will overwrite the default value (60 seconds).

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image	SHA-256 hash
collector-radware_cwaf_if-docker-image-1.0.0	`e120c1b65a606ac962c44f880bfd52261b454c8f144dc90ceb3d594e381c7625`

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz \| docker load

Note
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace `<image_file>` and `<version>` with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Expand

title	User activity

Internal process and deduplication method

Data is collected by setting a start date and by pagination. To eliminate duplicates, the date of the last event sent to Devo and the ids of events with the same date are stored.

Devo categorization and destination

All events of this service are ingested into the table waf.radware.api.user_activity. This service has the following components:

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block

INFO InputProcess::MainThread -> RadwarePullerSetup(radware_cwaf_collector,radware_input#12345,user_activity#predefined) -> Starting thread
INFO InputProcess::MainThread -> RadwarePuller(radware_input,12345,user_activity,predefined) - Starting thread
WARNING InputProcess::RadwarePullerSetup(radware_cwaf_collector,radware_input#12345,user_activity#predefined) -> The token/header/authentication has not been created yet
INFO InputProcess::RadwarePullerSetup(radware_cwaf_collector,radware_input#12345,user_activity#predefined) -> Setup for module <RadwarePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Info
Note that the `PrePull` action is executed only one time before the first run of the `Pull` action.

Code Block

INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> RadwarePuller(radware_input,12345,user_activity,predefined) Starting the execution of pre_pull()
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Reading persisted data
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Data retrieved from the persistence: None
WARNING InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> start_time_in_utc has not been found in the configuration, the start date will be: 2023-09-26 08:01:50.653070+00:00
WARNING InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Persistence will be overridden due to the retrieved state is empty
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Running the persistence upgrade steps
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Running the persistence corrections steps
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Running the persistence corrections steps
WARNING InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: None. New content: {'@persistence_version': 1, 'start_time_epoch': 1695715310653, 'last_event_time_epoch': 1695715310653, 'last_ids': []}
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Updating the persistence
WARNING InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Persistence has been updated successfully
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> RadwarePuller(radware_input,12345,user_activity,predefined) Finalizing the execution of pre_pull()
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Pull Started
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Ingesting events from 2023-09-26 08:01:50.653000+00:00 to 2023-09-26 08:02:50.653070+00:00
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Page 0 of 1: Delivered 2 events
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1695715370653):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 0.580.
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1695715370653):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 0.580.
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> The data is up to date!
INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Data collection completed. Elapsed time: 3.465 seconds. Waiting for 56.535 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block

INFO InputProcess::RadwarePuller(radware_input,12345,user_activity,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1695715370653):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 0.580.

Restart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the initial_start_time_in_utc_value parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note
Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution
`InitVariablesError`	1	`initial_start_time_in_utc` is not set as per the datetime_format : `{datetime_format}`	The date in config is not as per required format	Ensure the date format is correct.
`ApiError`	400	HTTP ERROR 400: Bad request: The server could not understand the request.	The API request is malformed.	Contact the Devo team
`ApiError`	401	HTTP ERROR 401: Unauthorized: Authentication is required and has failed or has not been provided.	The user is not authorized to access the requested service.	Check the permissions and that the credentials are not expired.
`ApiError`	402	HTTP ERROR 500: Server Error: An error occurred on the server.	Unknown server error.	Check that the internet connection works correctly and contact the company that manages the server on which the events are hosted.
`ApiError`	403	Request Error: Received status code `{status_code}`	Unknown API error	Contact the Devo team.
`ApiError`	404	HTTP ERROR 429: Too Many Requests: The user has sent too many requests in a given amount of time.	Too many requests have been sent to the resource.	Check:- That there is only one POD running.- That there are no more computers using the same credentials, Wait several minutes before restarting the collector. If nothing works, contact the Devo team.

Expand

title	Security event

Internal process and deduplication method

Data is collected by setting a start date and by pagination. To eliminate duplicates, the date of the last event sent to Devo and the ids of events with the same date are stored.

Devo categorization and destination

All events of this service are ingested into the table waf.radware.api.security_event. This service has the following components:

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block

INFO InputProcess::MainThread -> RadwarePullerSetup(radware_cwaf_collector,radware_input#12345,user_activity#predefined) -> Starting thread
INFO InputProcess::MainThread -> RadwarePuller(radware_input,12345,user_activity,predefined) - Starting thread
WARNING InputProcess::RadwarePullerSetup(radware_cwaf_collector,radware_input#12345,user_activity#predefined) -> The token/header/authentication has not been created yet
INFO InputProcess::RadwarePullerSetup(radware_cwaf_collector,radware_input#12345,user_activity#predefined) -> Setup for module <RadwarePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Info
Note that the `PrePull` action is executed only one time before the first run of the `Pull` action.

Code Block

INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> RadwarePuller(radware_input,12345,security_events,predefined) Starting the execution of pre_pull()
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Reading persisted data
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Data retrieved from the persistence: None
WARNING InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> start_time_in_utc has not been found in the configuration, the start date will be: 2023-09-26 08:17:08.788699+00:00
WARNING InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Persistence will be overridden due to the retrieved state is empty
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Running the persistence upgrade steps
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Running the persistence corrections steps
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Running the persistence corrections steps
WARNING InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: None. New content: {'@persistence_version': 1, 'start_time_epoch': 1695716228788, 'last_event_time_epoch': 1695716228788, 'last_ids': []}
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Updating the persistence
WARNING InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Persistence has been updated successfully
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> RadwarePuller(radware_input,12345,security_events,predefined) Finalizing the execution of pre_pull()
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Pull Started
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Ingesting events from 2023-09-26 08:17:08.788000+00:00 to 2023-09-26 08:18:08.788699+00:00
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Page 0 of 1: Delivered 4 events
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1695716288788):Number of requests made: 1; Number of events received: 4; Number of duplicated events filtered out: 0; Number of events generated and sent: 4; Average of events per second: 2.440.
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1695716288788):Number of requests made: 1; Number of events received: 4; Number of duplicated events filtered out: 0; Number of events generated and sent: 4; Average of events per second: 2.439.
INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> The data is up to date!

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block

INFO InputProcess::RadwarePuller(radware_input,12345,security_events,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1695716288788):Number of requests made: 1; Number of events received: 4; Number of duplicated events filtered out: 0; Number of events generated and sent: 4; Average of events per second: 2.439.

Restart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the initial_start_time_in_utc_value parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note
Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution
`InitVariablesError`	1	`initial_start_time_in_utc` is not set as per the datetime_format : `{datetime_format}`	The date in config is not as per required format	Ensure the date format is correct.
`ApiError`	400	HTTP ERROR 400: Bad request: The server could not understand the request.	The API request is malformed.	Contact the Devo team
`ApiError`	401	HTTP ERROR 401: Unauthorized: Authentication is required and has failed or has not been provided.	The user is not authorized to access the requested service.	Check the permissions and that the credentials are not expired.
`ApiError`	402	HTTP ERROR 500: Server Error: An error occurred on the server.	Unknown server error.	Check that the internet connection works correctly and contact the company that manages the server on which the events are hosted.
`ApiError`	403	Request Error: Received status code `{status_code}`	Unknown API error	Contact the Devo team.
`ApiError`	404	HTTP ERROR 429: Too Many Requests: The user has sent too many requests in a given amount of time.	Too many requests have been sent to the resource.	Check:- That there is only one POD running.- That there are no more computers using the same credentials, Wait several minutes before restarting the collector. If nothing works, contact the Devo team.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Expand

title	Verify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Code Block

2023-01-10T15:22:57.146    INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146    INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147    INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147    INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148    INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148    INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Code Block

2023-01-10T15:23:00.788    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842    INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)",

Info
By default, these information traces will be displayed every 10 minutes.

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Info
This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2023-01-10 16:09:16.116750+00:00": 21 (elapsed 0.000 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.000 seconds to be delivered.

Expand

title	Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block

INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Info

Differences between RSS and VMS memory usage:

RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using

Change log

Release

Released on

Release type

Details

Recommendations

v1.0.0

19 Aug 2024

Status

colour	Purple
title	NEW FEATURE

-

Initial version

Versions Compared

Old Version 1

New Version Current

Key

Overview

Devo collector features

Data sources

Flattening preprocessing

Minimum configuration required for basic pulling

Accepted authentication methods

Run the collector

Editing the JSON configuration

Structure

Devo credentials

Editing the config.yaml file

Download the Docker image

Docker

Docker Compose

Collector services detail

Internal process and deduplication method

Devo categorization and destination

Setup output

Puller output

Restart the persistence

Troubleshooting

Internal process and deduplication method

Devo categorization and destination

Setup output

Puller output

Restart the persistence

Troubleshooting

Collector operations

Initialization

Events delivery and Devo ingestion

Sender services

Sender statistics

Change log