Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
[ Overview ] [ Devo collector features ] [ Data sources ] [ Flattening preprocessing ] [ Vendor setup ] [ Minimum configuration required for basic pulling ] [ Accepted authentication methods ] [ Run the collector ] [ Collector services detail ] [ Collector operations ] [ Change log ]

Overview

Darktrace RESPOND works autonomously to disarm attacks whenever they occur. Reacts to threats in seconds, working 24/7 as it frees up security teams and resources.

...

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Expand
titleCheck memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block
2023-03-27T16:22:09.311    INFO InputProcess::MainThread -> [GC] global: 66.6% -> 66.6%, process: RSS(44.88MiB -> 44.88MiB), VMS(32.80GiB -> 32.80GiB)
2023-03-27T16:22:09.350    INFO OutputProcess::MainThread -> [GC] global: 66.6% -> 66.6%, process: RSS(45.21MiB -> 45.34MiB), VMS(32.89GiB -> 32.89GiB)

Change log

...

Release

...

Released on

...

Release type

...

Details

...

<any_directory> └── devo-collectors/ └── <product_name>/ ├── certs/ │ ├── chain.crt

Editing the JSON configuration:

Rw ui tabs macro
Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
Code Block
{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "darktrace": {
      "id": "<short_unique_id>",
      "enabled": "<input_status>",
      "credentials": {
        ├── <your_domain>.key
 "public_token": "<public_token>",
        "private_token": "<private_token>",
         └── <your_domain>.crt"instance": "<instance>"
      },
  ├── state/   "services": {
    └── config/   "antigena": {
         └── config.yaml 
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Removed
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: <collector_id>
  name: <collector_name>
  persistence:
    type: filesystem
    config:
 "start_time_in_utc_format": "<start_time_in_utc_format>",
          "request_period_in_seconds": "<request_period_in_seconds>",
          "override_devo_tag": "<override_devo_tag>",
     directory_name: state outputs:   devo_1:
"override_time_window_interval_in_minutes": "<override_time_window_interval_in_minutes>"
   type: devo_platform    },
config:       address: <devo_address>
      port: 443
"aianalyst_incidentevents": {
     type: SSL       chain: <chain_filename>"start_time_in_utc_format": "<start_time_in_utc_format>",
      cert: <cert_filename>       key"request_period_in_seconds": <key_filename>
inputs:
  darktrace:
    id: <short_unique_id>"<request_period_in_seconds>",
    enabled: true     environment: dev"override_devo_tag": "<override_devo_tag>",
    credentials:       public_token: <public_token_value>"override_time_window_interval_in_minutes": "<override_time_window_interval_in_minutes>"
      private_token: <private_token_value> },
     instance: <instance_value>  "summarystatistics": {
 requests_limits:       - period: 1d  "start_time_in_utc_format": "<start_time_in_utc_format>",
          number_of_requests: -1"request_period_in_seconds": "<request_period_in_seconds>",
         - period: 1h "override_devo_tag": "<override_devo_tag>", 
          number_of_requests: -1"override_time_window_interval_in_minutes": "<override_time_window_interval_in_minutes>"
      - period: 1m},
        number_of_requests"status": -1{
      - period: 1s    "start_time_in_utc_format": "<start_time_in_utc_format>",
    number_of_requests: -1     services:
"request_period_in_seconds": "<request_period_in_seconds>",
     antigena:         "override_devo_tag": "<override_devo_tag>
        start_time_in_utc_format: <start_time_in_utc_format>",
          "override_time_window_interval_in_minutes": "<override_time_window_interval_in_minutes>"
        request_period_in_seconds: <request_period_in_seconds>},
        aianalyst_incidentevents"modelbreaches":         override_devo_tag: <override_devo_tag>{
          "start_time_in_utc_format": "<start_time_in_utc_format>
        override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes>",
          "request_period_in_seconds": "<request_period_in_seconds>",
      summarystatistics:         "override_devo_tag": "<override_devo_tag>",
          start"override_time_window_interval_in_utc_formatminutes": <start"<override_time_in_utc_format>
        override_time_window_interval_in_minutes: <override_time_window_intervalwindow_interval_in_minutes>"
        request_period_in_seconds: <request_period_in_seconds>}
     status: }
    }
  override_devo_tag: <override_devo_tag>
        start_time_in_utc_format: <start_time_in_utc_format>
        override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes>
        request_period_in_seconds: <request_period_in_seconds>
    modelbreaches:
        override_devo_tag: <override_devo_tag>
        start_time_in_utc_format: <start_time_in_utc_format>
        override_time_window_interval_in_minutes: }
}

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range

Details

<short_unique_id>

int

Mandatory

Minimum Length 5

Use this parameter to give a unique ID to this input service. This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<public_token>

str

Mandatory

Minimum Length 1

public_token for accessing Darktrace API.

<private_token>

str

Mandatory

Minimum Length 1

private_token for accessing Darktrace API.

<instance>

str

Mandatory

Minimum Length 1

instance for accessing Darktrace API.

<start_time_in_utc_format>

int

Mandatory

UTC format

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events. Ex: 2022-05-14T00:00:0

<override_devo_tag>

str

Optional

A devo tag

This parameter allows defining a custom devo tag which overrides the default devo tag

<override_time_window_interval_in_minutes>

request_period_in_seconds: <request_period_in_seconds>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range

Details

collector_id

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this collector.

collector_name

str

Mandatory

Minimum length: 1

Maximum length: 10

Use this param to give a valid name to this collector.

devo_address

str

Mandatory

collector-us.devo.io

collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

Minimum length: 4

Maximum length: 20

Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt

cert_filename

str

Mandatory

Minimum length: 4

Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

Minimum length: 4

Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

input_id

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this input service.

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

input_status

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

public_token

str

Mandatory

Minimum length: 1

Public Token of the Darktrace server

private_token

str

Mandatory

Minimum length: 1

Private Token of the Darktrace server

instance

str

Mandatory

Minimum length: 1

Instance value for the Darktrace server. Suppose the base URL is https://azeus1-75836-01.cloud.darktrace.com/ , so instance value will be azeus1-75836-01.cloud.darktrace.com

request_period_in_seconds

int

Optional

Minimum length: 1

Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)

override_devo_tag

str

Optional

A devo tag

This parameter allows to define a custom devo tag.

start_time_in_utc_format

str

Optional

Minimum length: 1

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

override_time_window_interval_in_minutes

int

Optional

Minimum length: 1

This value allows you to set the intervals in which the data pulling will be divided, starting from the start date. This will overwrite the default value (60 minutes)

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-darktrace_respond-docker-image-1.0.0

c93371c66624db6c50e2fd164c8ccc207b6c219699c102e8bd7ccd787e2fe6dd

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

...

titleVerify data collection

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

...

Component

...

Description

...

Setup

...

The setup module is in charge of authenticating the service and managing the token expiration when needed.

...

Puller

...

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Starting the execution of setup()
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Tokens have been validated successfully.
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Finalizing the execution of setup()
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Setup for module <CollectorDarktracePuller> has been successfully executed

Puller output

Code Block
2023-03-27T16:22:12.290    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> The configuration property "start_time" is having a different value from previous collector executions so the persisted values will be removed. The new "start_time" value will be used as starting point, previous_value: "2023-03-10T00:00:00", new_value: "2023-03-25T00:00:00"
2023-03-27T16:22:12.291    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Starting data collection every 60 seconds
2023-03-27T16:22:12.291    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Starting a new pulling from darktrace at "2023-03-27T10:52:12.289241+00:00"
2023-03-27T16:22:12.297    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Total number of time slots to be processed: 58
2023-03-27T16:22:13.466    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 00:00:00+00:00 - 2023-03-25 01:00:00+00:00 is: 2
2023-03-27T16:22:14.476    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 01:00:00+00:00 - 2023-03-25 02:00:00+00:00 is: 0
2023-03-27T16:22:15.616    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 02:00:00+00:00 - 2023-03-25 03:00:00+00:00 is: 1
2023-03-27T16:22:16.640    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 03:00:00+00:00 - 2023-03-25 04:00:00+00:00 is: 0
2023-03-27T16:22:17.650    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 04:00:00+00:00 - 2023-03-25 05:00:00+00:00 is: 4
2023-03-27T16:22:18.669    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 05:00:00+00:00 - 2023-03-25 06:00:00+00:00 is: 1
2023-03-27T16:22:19.705    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 06:00:00+00:00 - 2023-03-25 07:00:00+00:00 is: 0
2023-03-27T16:22:21.122    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 07:00:00+00:00 - 2023-03-25 08:00:00+00:00 is: 1
2023-03-27T16:22:22.471    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 08:00:00+00:00 - 2023-03-25 09:00:00+00:00 is: 1
2023-03-27T16:22:23.902    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 09:00:00+00:00 - 2023-03-25 10:00:00+00:00 is: 0
2023-03-27T16:22:25.338    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 10:00:00+00:00 - 2023-03-25 11:00:00+00:00 is: 6
2023-03-27T16:22:26.571    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 11:00:00+00:00 - 2023-03-25 12:00:00+00:00 is: 0
2023-03-27T16:22:26.572    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of processed time slots so far: 12
2023-03-27T16:22:27.896    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 12:00:00+00:00 - 2023-03-25 13:00:00+00:00 is: 0

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block
2023-03-27T16:23:16.990    INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Received response, messages(total/duplicated): 65/4/tag template used: "my.app.test2", avg_time_per_source_message: 6.022 ms
Expand
titleRestart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_in_utc_format parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Expand
titleTroubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error Message

Cause

Solution

InitVariablesError

1

"{module_globals}" mandatory property is missing or empty

module_globals is not defined in the collector_definitions.yaml file

Define the module_globals in the collector_definitions file

InitVariablesError

2

"{module_globals}" mandatory property is missing or empty

module_globals field is not a dictionary

module_globals must be modified to be a dictionary

InitVariablesError

3

"base_url" mandatory property is missing or empty

base_url is missing from module_properties

Define base_url inside the module_properties

InitVariablesError

4

"base_url" property must be a string

base_url is not a string

base_url should be a string

InitVariablesError

5

"date_format" mandatory property is missing or empty

date_format is missing from module_properties

Define date_format inside the module_properties

InitVariablesError

6

"date_format" mandatory property is missing or empty

date_format is missing from module_properties

Define date_format inside the module_properties

InitVariablesError

7

"{module_properties_key_path}" mandatory property is missing or empty

module_properties is not defined in the collector_definitions.yaml file

Define the module_properties in the collector_definitions file

InitVariablesError

8

{module_properties_key_path}" property must be a dictionary

module_properties field is not a dictionary

module_properties must be modified to be a dictionary

InitVariablesError

9

"{module_properties_key_path}.endpoint" mandatory property is missing or empty

endpoint is not defined

deifne the endpoint

InitVariablesError

10

"{module_properties_key_path}.endpoint" property must be a string

endpoint is not a string

make endpoint a string

InitVariablesError

11

"{module_properties_key_path}.time_window_interval_in_minutes" mandatory property is missing or empty

time_window_interval_in_minutes is not present

define time_window_interval_in_minutes

InitVariablesError

12

"{module_properties_key_path}.time_window_interval_in_minutes" property must be an integer

time_window_interval_in_minutes is not an integer

time_window_interval_in_minutes must be an int

InitVariablesError

13

"{module_properties_key_path}.time_window_interval_in_minutes" property can not be a negative value

time_window_interval_in_minutes is less than 0

time_window_interval_in_minutes should be positive

InitVariablesError

14

"{module_properties_key_path}.devo_tag" mandatory property is missing or empty

devo_tag is not defined

define devo_tag

InitVariablesError

15

"{module_properties_key_path}.devo_tag" property must be a string

devo_tag is not a string

devo_tag must be a string

InitVariablesError

16

"{module_properties_key_path}.unique_id" property must be a string

unique_id is not a string

unique_id must be a string

InitVariablesError

17

"{module_properties_key_path}.persistence_version" mandatory property is missing or empty

persistence_version is not present

define persistence_version

InitVariablesError

18

"{module_properties_key_path}.persistence_version" property must be an integer

persistence_version is not an integer

persistence_version must be an int

InitVariablesError

19

"{module_properties_key_path}.persistence_version" property can not be a negative value

persistence_version is less than 0

persistence_version should be positive

InitVariablesError

20

inputs.darktrace mandatory property is missing or empty

inputs.darktrace is not present in config.yaml file

define inputs.darktrace in config.yaml file

InitVariablesError

21

inputs.darktrace property must be a dictionary

darktrace input is not a dict

make darktrace input a dict

InitVariablesError

22

inputs.darktrace.credentials mandatory property is missing or empty

credentials property is missing in config.yaml

credentials property must be defined

InitVariablesError

23

inputs.darktrace.credentials property must be a dictionary

credentials property is not a dict

credentials property must be a dict

InitVariablesError

24

inputs.darktrace.credentials.public_token mandatory property is missing or empty

public_token is missing in credentials section

public_token must be defined in the credentials section

InitVariablesError

25

inputs.darktrace.credentials.public_token property must be a string

public_token is not a string

public_token should be a string

InitVariablesError

26

inputs.darktrace.credentials.private_token mandatory property is missing or empt

private_token is missing in credentials section

private_token must be defined in the credentials section

InitVariablesError

27

inputs.darktrace.credentials.private_token property must be a string

private_token is not a string

private_token should be a string

InitVariablesError

28

inputs.darktrace.credentials.instance mandatory property is missing or empty

instance is not present in the credentials section

define the instance variable

InitVariablesError

29

inputs.darktrace.credentials.instance property must be a string

instance is not a string

instance has to be a string

InitVariablesError

30

inputs.{self.input_name}.services.{self.service_name} mandatory property is missing or empty

{self.service_name} is not defined inside services section

{self.service_name} has to be defined

InitVariablesError

31

inputs.{self.input_name}.services.{self.service_name} property must be a dictionary

{self.service_name} is not a dict

{self.service_name}must be a dict

InitVariablesError

32

inputs.{self.input_name}.services.{self.service_name}.override_devo_tag property must be a string

override_devo_tag is not a string

override_devo_tag must be a string

InitVariablesError

33

inputs.{self.input_name}.services.{self.service_name}.start_time_in_utc_format property must be a string

start_time_in_utc_format is not a string

start_time_in_utc_format must be a string

InitVariablesError

34

inputs.{self.input_name}.services.{self.service_name}.start_time_in_utc_format does not match the format {self.collector_variables["date_format"]}

start_time_in_utc_format is not proper

start_time_in_utc_format must be consistent with {self.collector_variables["date_format"]}

InitVariablesError

35

inputs.{self.input_name}.services.{self.service_name}.override_time_window_interval_in_minutes property must be an int

override_time_window_interval_in_minutes property is not an integer

override_time_window_interval_in_minutes property must be an integer

PullError

300

HTTP Error occurred while retrieving events from Darktrace server

Some unknown exception happened while making the HTTP request

Reach out to the developer with the exact error message

PullError

301

Some error occurred while retrieving events from Darktrace server.

An error occured apart from HTTP while making request to the server

Reach out to the developer with the exact error message

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

...

titleVerify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Code Block
2023-03-27T16:22:07.976    INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-1-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-03-27T16:22:07.976    INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-03-27T16:22:07.976    INFO MainProcess::MainThread -> "/etc/devo/job" does not exists
2023-03-27T16:22:07.977    INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-03-27T16:22:07.977    INFO MainProcess::MainThread -> "/etc/devo/collector" does not exists
2023-03-27T16:22:07.977    INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "/Users/krishan.dhingra/devo/github/devo-collector-darktrace/config/config-1-local.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-03-27T16:22:08.080    INFO MainProcess::MainThread -> Build time: "UNKNOWN", OS: "macOS-12.6.1-x86_64-i386-64bit", collector(name:version): "darktrace_collector:1.0.0", owner: "aaa.bbb@domain.com", started at: "2023-03-27T10:52:08.059847Z"
2023-03-27T16:22:08.092    INFO MainProcess::MainThread -> Initialized all object from "MainProcess" process

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Code Block
2023-03-27T16:22:09.310    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-03-27T16:22:09.311    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_eu_1) -> Starting thread (every 300 seconds)
2023-03-27T16:22:09.311    INFO InputProcess::MainThread -> [GC] global: 66.6% -> 66.6%, process: RSS(44.88MiB -> 44.88MiB), VMS(32.80GiB -> 32.80GiB)
2023-03-27T16:22:09.312    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_eu_1) -> Starting thread
2023-03-27T16:22:09.312    INFO InputProcess::MainThread -> global_status: {"input_process": {"process_id": 48693, "process_status": "running", "thread_counter": 11, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "QueueFeederThread", "CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,aianalyst/incidentevents#predefined)", "CollectorDarktracePuller(darktrace,darktrace_respond,aianalyst/incidentevents,predefined)", "QueueFeederThread", "ServiceThread(darktrace,darktrace_respond,aianalyst/incidentevents,predefined)", "InputThread(darktrace,darktrace_respond)"], "memory_info": {"rss": "44.90MiB", "vms": "32.80GiB", "pfaults": "12.52KiB", "pageins": "1.00B"}, "input_threads": [[]], "running_flag": true, "message_queues": {"standard": {"name": "standard_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 1, "put_lock": "<Lock(owner=unknown)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x10445bb50>"}, "lookup": {"name": "lookup_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=unknown)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x104468190>"}, "internal": {"name": "internal_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 10, "put_lock": "<Lock(owner=unknown)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x10446e8b0>"}}}}
2023-03-27T16:22:09.313    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

...

Sender services

...

Description

...

internal_senders

...

In charge of delivering internal metrics to Devo such as logging traces or metrics.

...

standard_senders

...

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

...

Logging trace

...

Description

...

Number of available senders: 1

...

Displays the number of concurrent senders available for the given Sender Service.

...

sender manager internal queue size: 0

...

Displays the items available in the internal sender queue.

Info

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

...

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

...

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

Info

By default these traces will be shown every 10 minutes.

int

Optional

Minimum length: 1

This value allows you to set the intervals in which the data pulling will be divided, starting from the start date. This will overwrite the default value (60 minutes)

<request_period_in_seconds>

int

Optional

Minimum Length 1

Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds).

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml 
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Added
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: example_collector
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
    devo_us_1:
      type: devo_platform
      config:
        address: <devo_address>
        port: 443
        type: SSL
        chain: <chain_filename>
        cert: <cert_filename>
        key: <key_filename>
inputs:
  darktrace:
    id: <short_unique_id>
    enabled: <input_status>
    credentials:
      public_token: <public_token>
      private_token: <private_token>
      instance: <instance>
    services:
       antigena:
         start_time_in_utc_format: <start_time_in_utc_format> # example 2022-05-14T00:00:00
         request_period_in_seconds: <request_period_in_seconds> #otional
         override_devo_tag: <override_devo_tag> #optional
         override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes> #optional
       aianalyst_incidentevents:
         start_time_in_utc_format: <start_time_in_utc_format> # example 2022-05-14T00:00:00
         request_period_in_seconds: <request_period_in_seconds> #otional
         override_devo_tag: <override_devo_tag> #optional
         override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes> #optional
       summarystatistics:
         start_time_in_utc_format: <start_time_in_utc_format> # example 2022-05-14T00:00:00
         request_period_in_seconds: <request_period_in_seconds> #otional
         override_devo_tag: <override_devo_tag> #optional
         override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes> #optional
       status:
         start_time_in_utc_format: <start_time_in_utc_format> # example 2022-05-14T00:00:00
         request_period_in_seconds: <request_period_in_seconds> #otional
         override_devo_tag: <override_devo_tag> #optional
         override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes> #optional        
       modelbreaches:
         start_time_in_utc_format: <start_time_in_utc_format> # example 2022-05-14T00:00:00
         request_period_in_seconds: <request_period_in_seconds> #otional
         override_devo_tag: <override_devo_tag> #optional
         override_time_window_interval_in_minutes: <override_time_window_interval_in_minutes> #optional
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range

Details

<collector_id>

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this collector.

<collector_name>

str

Mandatory

Minimum length: 1

Maximum length: 10

Use this param to give a valid name to this collector.

<devo_address>

str

Mandatory

collector-us.devo.io

collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

<chain_filename>

str

Mandatory

Minimum length: 4

Maximum length: 20

Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt

<cert_filename>

str

Mandatory

Minimum length: 4

Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

<key_filename>

str

Mandatory

Minimum length: 4

Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

<short_unique_id>

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this input service.

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

<public_token>

str

Mandatory

Minimum length: 1

Public Token of the Darktrace server

<private_token>

str

Mandatory

Minimum length: 1

Private Token of the Darktrace server

<instance>

str

Mandatory

Minimum length: 1

Instance value for the Darktrace server. Suppose the base URL is https://azeus1-75836-01.cloud.darktrace.com/ , so instance value will be azeus1-75836-01.cloud.darktrace.com

<request_period_in_seconds>

int

Optional

Minimum length: 1

Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)

<override_devo_tag>

str

Optional

A devo tag

This parameter allows to define a custom devo tag.

<start_time_in_utc_format>

str

Optional

Minimum length: 1

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

<override_time_window_interval_in_minutes>

int

Optional

Minimum length: 1

This value allows you to set the intervals in which the data pulling will be divided, starting from the start date. This will overwrite the default value (60 minutes)

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-darktrace_respond-docker-image-1.1.0

e840667b136af17faea4f0984f607b77cf24bed4ec7fff903008ec9cb9c79e7a

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Expand
titleVerify data collection

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block
2024-11-19T11:32:18.920    INFO InputProcess::MainThread -> CollectorDarktracePullerSetup(darktrace#122312,summarystatistics#predefined) -> Starting thread
2024-11-19T11:32:18.920    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) - Starting thread
2024-11-19T11:32:18.922 WARNING InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Waiting until setup will be executed
2024-11-19T11:32:18.923    INFO InputProcess::MainThread -> InputMetricsThread -> Started thread for updating metrics values (update_period=10.0)
2024-11-19T11:32:18.945    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.945    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/df8895fef2a509cbd87fcc9850dc0c81"
2024-11-19T11:32:18.946    INFO OutputProcess::MainThread -> OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/OutputLookupConsumer;lookup_senders;0.json.gz
2024-11-19T11:32:18.946    INFO OutputProcess::MainThread -> OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.947    INFO OutputProcess::MainThread -> OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/865a79c1b99ad39b22becc235c9732cb"
2024-11-19T11:32:18.947    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSenderManager;internal_senders;devo_us_1.json.gz
2024-11-19T11:32:18.948    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.948    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/34012509abf2225d01ba2e6297651032"
2024-11-19T11:32:18.949    INFO InputProcess::MainThread -> [GC] global: 24.6% -> 24.7%, process: RSS(62.17MiB -> 62.54MiB), VMS(522.05MiB -> 522.05MiB)
2024-11-19T11:32:18.949    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "vendor_requests" created: "Number of requests received from the vendor API", unit: "requests"
2024-11-19T11:32:18.950    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_incoming_received" created: "Number of messages received from the vendor API", unit: "1"
2024-11-19T11:32:18.950    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSender;internal_senders;devo_sender_0.json.gz
2024-11-19T11:32:18.950    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_incoming_removed" created: "Number of messages removed by the collector", unit: "1"
2024-11-19T11:32:18.950    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_incoming_filtered" created: "Number of messages filtered by the collector", unit: "1"
2024-11-19T11:32:18.951    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_standard_counter" created: "Number of messages enqueued", unit: "1"
2024-11-19T11:32:18.951    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_standard_bytes" created: "Number of bytes enqueued", unit: "1"
2024-11-19T11:32:18.951    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_lookup_counter" created: "Number of messages enqueued", unit: "1"
2024-11-19T11:32:18.951    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_lookup_bytes" created: "Number of messages enqueued", unit: "1"
2024-11-19T11:32:18.951    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_internal_counter" created: "Number of messages enqueued in the queue", unit: "1"
2024-11-19T11:32:18.951    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.952    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/4ff7b345dc444ac050cf75f93e5dcb3b"
2024-11-19T11:32:18.952    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_internal_bytes" created: "Number of messages enqueued in the queue", unit: "1"
2024-11-19T11:32:18.952    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Gauge "module_global_status" created: "Global status of current module", unit: "1"
2024-11-19T11:32:18.952    INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/OutputInternalConsumer;internal_senders;0.json.gz
2024-11-19T11:32:18.953    INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.953    INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/10dd360c86621afd5a28a029a0dddcf6"
2024-11-19T11:32:18.953    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2024-11-19T11:32:18.953    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_us_1) -> Starting thread (every 300 seconds)
2024-11-19T11:32:18.954    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> Starting thread
2024-11-19T11:32:18.954    INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.954    INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.954    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
2024-11-19T11:32:18.955    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Starting thread (every 300 seconds)
2024-11-19T11:32:18.955    INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.955    INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.955    INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> Starting thread
2024-11-19T11:32:18.955    INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.955    INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.956    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
2024-11-19T11:32:18.956    INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.956    INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.957    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Starting thread (every 300 seconds)
2024-11-19T11:32:18.957    INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.957    INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.957    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> Starting thread
2024-11-19T11:32:18.957    INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.958    INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.958    INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.958    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.958    INFO OutputProcess::MainThread -> OutputMetricsThread -> Started thread for updating metrics values (update_period=10.0)
2024-11-19T11:32:18.959    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.959    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.960    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_sent_counter" created: "Number of messages sent to the defined output", unit: "1"
2024-11-19T11:32:18.960    INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.960    INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.978    INFO OutputProcess::MainThread -> [GC] global: 24.7% -> 24.7%, process: RSS(62.03MiB -> 62.16MiB), VMS(1.07GiB -> 1.07GiB)
2024-11-19T11:32:18.979    INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_sent_bytes" created: "Number of bytes sent to the defined output", unit: "1"
2024-11-19T11:32:19.318    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/md_tausif/gitlab/devo-collector-darktrace/certs/chain.crt", "cert_path": "/home/md_tausif/gitlab/devo-collector-darktrace/certs/int-if-integrations-india.crt", "key_path": "/home/md_tausif/gitlab/devo-collector-darktrace/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "140102146981120"
2024-11-19T11:32:19.319    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:19.658    INFO InputProcess::CollectorDarktracePullerSetup(darktrace#122312,summarystatistics#predefined) -> Setup for module <StatelessServicePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

Code Block
2024-11-19T11:33:19.949    INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Pull Started
2024-11-19T11:33:20.797    INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1731996199949):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 1.180.
2024-11-19T11:33:20.797    INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1731996199949):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 1.179.
2024-11-19T11:33:20.798    INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> The data is up to date!

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block
2024-11-19T11:33:20.797    INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1731996199949):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 1.179.
Expand
titleRestart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_in_utc_format parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Expand
titleTroubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error Message

Cause

Solution

SetupError

100

Error occurred while requesting from the Darktrace server. Error message: {e}

Darktrace API call is failing

Ensure that the collector has the necessary permissions to access the Darktrace API and cnotact the developer with exact erro rmessage

SetupError

101

The tokens provided are incorrect. Please specify the correct credentials. Error message {e}

Darktrace API call is failing

Check the credentials and ensure that the collector has the necessary permissions to access the Darktrace API.

SetupError

102

The provided tokens are valid but they do not have the permission to get data: Error message {e}

Darktrace API call is failing

Contact the Developer with exact error message

SetupError

103

Unexpected HTTP error occurred at the Darktrace server. status code, {status_code} error: {e}

Darktrace API call is failing

Contact the Developer with exact error message

PullError

300

HTTP Error occurred while retrieving events from Darktrace server: summary {summary} details {details}

Darktrace API call is failing

Contact the Developer with exact error message

PullError

301

Some error occurred while retrieving events from Darktrace server. Error details: {e}

Darktrace API call is failing

Contact the Developer with exact error message

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Expand
titleVerify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Code Block
2024-11-19T11:32:18.861    INFO MainProcess::MainThread -> Initialized all object from "MainProcess" process
2024-11-19T11:32:18.861    INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=120s)
2024-11-19T11:32:18.862    INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=120s)
2024-11-19T11:32:18.864    INFO MainProcess::MainThread -> [METRIC] Metric consumer started
2024-11-19T11:32:18.864    INFO MainProcess::WebServiceThread -> Starting WebServiceThread, ip-port: 0.0.0.0:3000
2024-11-19T11:32:18.864    INFO OutputProcess::MainThread -> Process started (pid=10747, ppid=10725, multiprocessing.start_method="fork")
2024-11-19T11:32:18.865    INFO MainProcess::MainThread -> Started all objects from "MainProcess" process
2024-11-19T11:32:18.866    INFO InputProcess::MainThread -> Process started (pid=10751, ppid=10725, multiprocessing.start_method="fork")
2024-11-19T11:32:18.907    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/darktrace;122312;summarystatistics;predefined;StatelessServicePuller.json
2024-11-19T11:32:18.907    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSenderManager;standard_senders;devo_us_1.json.gz
2024-11-19T11:32:18.908    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.908    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 2), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/2aab77e60889f09b633d3d970ef2df68"
2024-11-19T11:32:18.908    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/b4d7611b788af2ad262f3ade0720cbc6"
2024-11-19T11:32:18.908    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.908    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] Checking if old persisted data must be removed
2024-11-19T11:32:18.908    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/36bed5fef9b856fc6b18255b004526be"
2024-11-19T11:32:18.908    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists (Version 2), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/2aab77e60889f09b633d3d970ef2df68"
2024-11-19T11:32:18.908    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/b4d7611b788af2ad262f3ade0720cbc6"
2024-11-19T11:32:18.909    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) Starting the execution of init_variables()
2024-11-19T11:32:18.910    INFO InputProcess::MainThread -> Validating service metadata
2024-11-19T11:32:18.911    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSender;standard_senders;devo_sender_0.json.gz
2024-11-19T11:32:18.911    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.912    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/b1ee30ea2c4b3be1eb50c8b2ca80d8d8"
2024-11-19T11:32:18.912    INFO InputProcess::MainThread -> Validating defined module definition
2024-11-19T11:32:18.913    INFO OutputProcess::MainThread -> OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/OutputStandardConsumer;standard_senders;0.json.gz
2024-11-19T11:32:18.914    INFO OutputProcess::MainThread -> OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.914    INFO OutputProcess::MainThread -> OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/de28663278a264d05d531fbc1db51a93"
2024-11-19T11:32:18.916    INFO InputProcess::MainThread -> Validating common input config
2024-11-19T11:32:18.916    INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSenderManager;lookup_senders;devo_us_1.json.gz
2024-11-19T11:32:18.916    INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.916    INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/08a1a86d62177fc610df30a3ea72219c"
2024-11-19T11:32:18.917    INFO InputProcess::MainThread -> Validating service input config
2024-11-19T11:32:18.918    INFO InputProcess::MainThread -> Running overriding rules
2024-11-19T11:32:18.918    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSender;lookup_senders;devo_sender_0.json.gz
2024-11-19T11:32:18.918    INFO InputProcess::MainThread -> Overriding rule #1 - service key <override_tag> with value <my.app.devo.com> overrides definition key <devo_tag> with value <None> when the first is not <None>
2024-11-19T11:32:18.918    INFO InputProcess::MainThread -> Validating the rate limiter config given by the user
2024-11-19T11:32:18.918    INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead.
2024-11-19T11:32:18.919    INFO InputProcess::MainThread -> Adding raw config to the collector store
2024-11-19T11:32:18.919    INFO InputProcess::MainThread -> Running custom validation rules
2024-11-19T11:32:18.919    INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) Finalizing the execution of init_variables()

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Code Block
2024-11-19T11:47:18.956    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Number of available senders: 1, sender manager internal queue size: 0
2024-11-19T11:47:18.956    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2024-11-19T11:47:18.956    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Sender: DevoSender(lookup_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": False}
2024-11-19T11:47:18.956    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Lookup - Total number of messages sent: 0, messages sent since "2024-11-19 06:12:18.956130+00:00": 0 (elapsed 0.000 seconds)
2024-11-19T11:47:18.958    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Number of available senders: 1, sender manager internal queue size: 1
2024-11-19T11:47:18.958    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2024-11-19T11:47:18.958    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Sender: DevoSender(internal_senders,devo_sender_0), status: {"internal_queue_size": 1, "is_connection_open": True}
2024-11-19T11:47:18.958    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Internal - Total number of messages: 114 messages/bytes sent since/to "2024-11-19T06:12:18.957991+00:00/2024-11-19T06:17:18.958475+00:00": 28/13408, (elapsed 0.002 seconds)

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Info

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Standard - Total number of messages sent: 0, messages sent since "2024-11-19 06:12:18.956130+00:00": 0 (elapsed 0.000 seconds

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

Info

By default these traces will be shown every 10 minutes.

Expand
titleCheck memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block
2024-11-19T11:47:19.041    INFO InputProcess::MainThread -> [GC] global: 23.4% -> 23.4%, process: RSS(65.29MiB -> 65.29MiB), VMS(522.05MiB -> 522.05MiB)
2024-11-19T11:48:19.108    INFO OutputProcess::MainThread -> [GC] global: 23.3% -> 23.3%, process: RSS(65.53MiB -> 65.53MiB), VMS(1.07GiB -> 1.07GiB)

Change log

Release

Released on

Release type

Details

Recommendations

v1.1.0

Status
colourPurple
titleImprovement

Improvements

  • Upgraded Docker base image to 1.3.1

  • Updated the DCSDK from v1.7.2 to v1.13.1

    • Fixed bug related to module_global_status value in message_metrics

    • PEP8 Cleanup

    • New metric endpoint (http://0.0.0.0:3000/metrics)

    • Changed some metric structure that were already sent to Devo before (devo.collector.metric.*)

    • Improved MacOS compatibility (for the development phase)

    • Updated DevoSDK to version 6.0.0

    • Puller and PullerSetup now have the same id structure

    • Changed some console log traces to DEBUG

    • Fixed bug related to rate_limiter object (the object was not properly internally released)

    • Improved Filesystem persistence behavior

    • python-dateutil==2.8.2 -> python-dateutil==2.9.0.post0

    • Fixed error related with loss of some values in internal messages (collector_name, collector_id and job_id)/li>

    • Improve Controlled stop when InputProcess is killed

    • Change internal queue management for protecting against OOMKr

    • Extracted ModuleThread structure from PullerAbstract

    • Improve Controlled stop when both processes fail to instantiate

    • Fixed error related a ValueError exception not well controlled

    • Fixed error related with loss of some values in internal messages (collector_name, collector_id and job_id)

    • Improve Controlled stop when InputProcess is killed

    • Extracted ModuleThread structure from PullerAbstract

    • Improve Controlled stop when both processes fails to instantiate

    • Upgrade DevoSDK dependency to version v5.4.0

    • error in persistence system

    • changes to make DCSDK compatible with MacOS

    • Added new sender for relay in house + TLS

    • Added persistence functionality for gzip sending buffer

    • Added Automatic activation of gzip sending

    • Improved behaviour when persistence fails

    • Upgraded DevoSDK dependency

    • Fixed console log encoding

    • Restructured python classes

    • Improved behaviour with non-utf8 characters

    • Decreased default size value for internal queues (Redis limitation, from 1GiB to 256MiB)

    • New persistence format/structure (compression in some cases)

    • Removed dmesg execution (It was invalid for docker execution)

    • Added extra check for not valid message timestamps

    • Added extra check for improve the controlled stop

    • Changed default number for connection retries (now 7)

    • Fix for Devo connection retries

    • Updated DevoSDK to v5.1.10

    • Fix for SyslogSender related to UTF-8

    • Enhance of troubleshooting. Trace Standardization, Some traces has been introduced.

    • Introduced a mechanism to detect "Out of Memory killer" situation.

    • Updated DevoSDK to v5.1.9

    • Fixed some bug related to development on MacOS

    • Added an extra validation and fix when the DCSDK receives a wrong timestamp format

    • Added an optional config property for use the Syslog timestamp format in a strict way

    • Fixed error in pyproject.toml related to project scripts endpoint

    • Updated DevoSDK to v5.1.7

    • Introduced pyproject.toml

    • Added requirements-dev.txt

    • Added input metrics

    • Modified output metrics

    • Updated DevoSDK to v5.1.6

    • Standardized exception messages for traceability (Dynatrace related)

    • Added more detail in queue statistics

    • Upgrade internal dependencies

    • Store lookup instances into DevoSender to avoid creation of new instances for the same lookup

    • Ensure service_config is a dict into templates

    • Ensure special characters are properly sent to the platform

    • Changed log level to some messages from info to debug

    • Changed some wrong log messages

    • Upgraded some internal dependencies

Recommended version

v1.0.0

Status
colourPurple
titleFIRST RELEASE


Released the first version of the Darktrace Respond collector.

Recommended version