Table of Contents [ Overview ] [ Devo collector features ] [ Data sources ] [ Flattening preprocessing ] [ Vendor setup ] [ Minimum configuration required for basic pulling ] [ Accepted authentication methods ] [ Run the collector ] [ Collector services detail ] [ Collector operations ] [ Change log ]
Overview
Darktrace RESPOND works autonomously to disarm attacks whenever they occur. Reacts to threats in seconds, working 24/7 as it frees up security teams and resources.
...
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Expand
title
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
Rw tab
title
On-premise collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
Parameter
Data type
Type
Value range
Details
<short_unique_id>
int
Mandatory
Minimum Length 5
Use this parameter to give a unique ID to this input service. This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.
<input_status>
bool
Mandatory
false / true
Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.
<public_token>
str
Mandatory
Minimum Length 1
public_token for accessing Darktrace API.
<private_token>
str
Mandatory
Minimum Length 1
private_token for accessing Darktrace API.
<instance>
str
Mandatory
Minimum Length 1
instance for accessing Darktrace API.
<start_time_in_utc_format>
int
Mandatory
UTC format
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events. Ex: 2022-05-14T00:00:0
<override_devo_tag>
str
Optional
A devo tag
This parameter allows defining a custom devo tag which overrides the default devo tag
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
Parameter
Data type
Type
Value range
Details
collector_id
int
Mandatory
Minimum length: 1
Maximum length: 5
Use this param to give an unique id to this collector.
collector_name
str
Mandatory
Minimum length: 1
Maximum length: 10
Use this param to give a valid name to this collector.
Use this param to identify the Devo Cloud where the events will be sent.
chain_filename
str
Mandatory
Minimum length: 4
Maximum length: 20
Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt
cert_filename
str
Mandatory
Minimum length: 4
Maximum length: 20
Use this param to identify the file.cert downloaded from your Devo domain.
key_filename
str
Mandatory
Minimum length: 4
Maximum length: 20
Use this param to identify the file.key downloaded from your Devo domain.
input_id
int
Mandatory
Minimum length: 1
Maximum length: 5
Use this param to give an unique id to this input service.
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
input_status
bool
Mandatory
false / true
If the value is true, the input definition will be executed. If the value is false, the service will be ignored.
public_token
str
Mandatory
Minimum length: 1
Public Token of the Darktrace server
private_token
str
Mandatory
Minimum length: 1
Private Token of the Darktrace server
instance
str
Mandatory
Minimum length: 1
Instance value for the Darktrace server. Suppose the base URL is https://azeus1-75836-01.cloud.darktrace.com/ , so instance value will be azeus1-75836-01.cloud.darktrace.com
request_period_in_seconds
int
Optional
Minimum length: 1
Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)
override_devo_tag
str
Optional
A devo tag
This parameter allows to define a custom devo tag.
start_time_in_utc_format
str
Optional
Minimum length: 1
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
override_time_window_interval_in_minutes
int
Optional
Minimum length: 1
This value allows you to set the intervals in which the data pulling will be divided, starting from the start date. This will overwrite the default value (60 minutes)
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Replace <product_name>, <image_name> and <version> with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note
Replace <product_name>, <image_name> and <version> with the proper values.
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Events service
...
title
Verify data collection
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
...
Component
...
Description
...
Setup
...
The setup module is in charge of authenticating the service and managing the token expiration when needed.
...
Puller
...
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Code Block
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Starting the execution of setup()
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Tokens have been validated successfully.
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Finalizing the execution of setup()
INFO InputProcess::CollectorDarktracePullerSetup(unknown,darktrace#darktrace_respond,summarystatistics#predefined) -> Setup for module <CollectorDarktracePuller> has been successfully executed
Puller output
Code Block
2023-03-27T16:22:12.290 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> The configuration property "start_time" is having a different value from previous collector executions so the persisted values will be removed. The new "start_time" value will be used as starting point, previous_value: "2023-03-10T00:00:00", new_value: "2023-03-25T00:00:00"
2023-03-27T16:22:12.291 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Starting data collection every 60 seconds
2023-03-27T16:22:12.291 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Starting a new pulling from darktrace at "2023-03-27T10:52:12.289241+00:00"
2023-03-27T16:22:12.297 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Total number of time slots to be processed: 58
2023-03-27T16:22:13.466 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 00:00:00+00:00 - 2023-03-25 01:00:00+00:00 is: 2
2023-03-27T16:22:14.476 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 01:00:00+00:00 - 2023-03-25 02:00:00+00:00 is: 0
2023-03-27T16:22:15.616 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 02:00:00+00:00 - 2023-03-25 03:00:00+00:00 is: 1
2023-03-27T16:22:16.640 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 03:00:00+00:00 - 2023-03-25 04:00:00+00:00 is: 0
2023-03-27T16:22:17.650 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 04:00:00+00:00 - 2023-03-25 05:00:00+00:00 is: 4
2023-03-27T16:22:18.669 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 05:00:00+00:00 - 2023-03-25 06:00:00+00:00 is: 1
2023-03-27T16:22:19.705 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 06:00:00+00:00 - 2023-03-25 07:00:00+00:00 is: 0
2023-03-27T16:22:21.122 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 07:00:00+00:00 - 2023-03-25 08:00:00+00:00 is: 1
2023-03-27T16:22:22.471 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 08:00:00+00:00 - 2023-03-25 09:00:00+00:00 is: 1
2023-03-27T16:22:23.902 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 09:00:00+00:00 - 2023-03-25 10:00:00+00:00 is: 0
2023-03-27T16:22:25.338 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 10:00:00+00:00 - 2023-03-25 11:00:00+00:00 is: 6
2023-03-27T16:22:26.571 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 11:00:00+00:00 - 2023-03-25 12:00:00+00:00 is: 0
2023-03-27T16:22:26.572 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of processed time slots so far: 12
2023-03-27T16:22:27.896 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Number of events received for time slot >> 2023-03-25 12:00:00+00:00 - 2023-03-25 13:00:00+00:00 is: 0
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Code Block
2023-03-27T16:23:16.990 INFO InputProcess::CollectorDarktracePuller(darktrace,darktrace_respond,summarystatistics,predefined) -> Received response, messages(total/duplicated): 65/4/tag template used: "my.app.test2", avg_time_per_source_message: 6.022 ms
Expand
title
Restart the persistence
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the start_time_in_utc_format parameter to a different one.
Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
Expand
title
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Error type
Error ID
Error Message
Cause
Solution
InitVariablesError
1
"{module_globals}" mandatory property is missing or empty
module_globals is not defined in the collector_definitions.yaml file
Define the module_globals in the collector_definitions file
InitVariablesError
2
"{module_globals}" mandatory property is missing or empty
module_globals field is not a dictionary
module_globals must be modified to be a dictionary
InitVariablesError
3
"base_url" mandatory property is missing or empty
base_url is missing from module_properties
Define base_url inside the module_properties
InitVariablesError
4
"base_url" property must be a string
base_url is not a string
base_url should be a string
InitVariablesError
5
"date_format" mandatory property is missing or empty
date_format is missing from module_properties
Define date_format inside the module_properties
InitVariablesError
6
"date_format" mandatory property is missing or empty
date_format is missing from module_properties
Define date_format inside the module_properties
InitVariablesError
7
"{module_properties_key_path}" mandatory property is missing or empty
module_properties is not defined in the collector_definitions.yaml file
Define the module_properties in the collector_definitions file
InitVariablesError
8
{module_properties_key_path}" property must be a dictionary
module_properties field is not a dictionary
module_properties must be modified to be a dictionary
InitVariablesError
9
"{module_properties_key_path}.endpoint" mandatory property is missing or empty
endpoint is not defined
deifne the endpoint
InitVariablesError
10
"{module_properties_key_path}.endpoint" property must be a string
endpoint is not a string
make endpoint a string
InitVariablesError
11
"{module_properties_key_path}.time_window_interval_in_minutes" mandatory property is missing or empty
time_window_interval_in_minutes is not present
define time_window_interval_in_minutes
InitVariablesError
12
"{module_properties_key_path}.time_window_interval_in_minutes" property must be an integer
time_window_interval_in_minutes is not an integer
time_window_interval_in_minutes must be an int
InitVariablesError
13
"{module_properties_key_path}.time_window_interval_in_minutes" property can not be a negative value
time_window_interval_in_minutes is less than 0
time_window_interval_in_minutes should be positive
InitVariablesError
14
"{module_properties_key_path}.devo_tag" mandatory property is missing or empty
devo_tag is not defined
define devo_tag
InitVariablesError
15
"{module_properties_key_path}.devo_tag" property must be a string
devo_tag is not a string
devo_tag must be a string
InitVariablesError
16
"{module_properties_key_path}.unique_id" property must be a string
unique_id is not a string
unique_id must be a string
InitVariablesError
17
"{module_properties_key_path}.persistence_version" mandatory property is missing or empty
persistence_version is not present
define persistence_version
InitVariablesError
18
"{module_properties_key_path}.persistence_version" property must be an integer
persistence_version is not an integer
persistence_version must be an int
InitVariablesError
19
"{module_properties_key_path}.persistence_version" property can not be a negative value
persistence_version is less than 0
persistence_version should be positive
InitVariablesError
20
inputs.darktrace mandatory property is missing or empty
inputs.darktrace is not present in config.yaml file
define inputs.darktrace in config.yaml file
InitVariablesError
21
inputs.darktrace property must be a dictionary
darktrace input is not a dict
make darktrace input a dict
InitVariablesError
22
inputs.darktrace.credentials mandatory property is missing or empty
credentials property is missing in config.yaml
credentials property must be defined
InitVariablesError
23
inputs.darktrace.credentials property must be a dictionary
credentials property is not a dict
credentials property must be a dict
InitVariablesError
24
inputs.darktrace.credentials.public_token mandatory property is missing or empty
public_token is missing in credentials section
public_token must be defined in the credentials section
InitVariablesError
25
inputs.darktrace.credentials.public_token property must be a string
public_token is not a string
public_token should be a string
InitVariablesError
26
inputs.darktrace.credentials.private_token mandatory property is missing or empt
private_token is missing in credentials section
private_token must be defined in the credentials section
InitVariablesError
27
inputs.darktrace.credentials.private_token property must be a string
private_token is not a string
private_token should be a string
InitVariablesError
28
inputs.darktrace.credentials.instance mandatory property is missing or empty
instance is not present in the credentials section
define the instance variable
InitVariablesError
29
inputs.darktrace.credentials.instance property must be a string
instance is not a string
instance has to be a string
InitVariablesError
30
inputs.{self.input_name}.services.{self.service_name} mandatory property is missing or empty
{self.service_name} is not defined inside services section
{self.service_name} has to be defined
InitVariablesError
31
inputs.{self.input_name}.services.{self.service_name} property must be a dictionary
{self.service_name} is not a dict
{self.service_name}must be a dict
InitVariablesError
32
inputs.{self.input_name}.services.{self.service_name}.override_devo_tag property must be a string
override_devo_tag is not a string
override_devo_tag must be a string
InitVariablesError
33
inputs.{self.input_name}.services.{self.service_name}.start_time_in_utc_format property must be a string
start_time_in_utc_format is not a string
start_time_in_utc_format must be a string
InitVariablesError
34
inputs.{self.input_name}.services.{self.service_name}.start_time_in_utc_format does not match the format {self.collector_variables["date_format"]}
start_time_in_utc_format is not proper
start_time_in_utc_format must be consistent with {self.collector_variables["date_format"]}
InitVariablesError
35
inputs.{self.input_name}.services.{self.service_name}.override_time_window_interval_in_minutes property must be an int
override_time_window_interval_in_minutes property is not an integer
override_time_window_interval_in_minutes property must be an integer
PullError
300
HTTP Error occurred while retrieving events from Darktrace server
Some unknown exception happened while making the HTTP request
Reach out to the developer with the exact error message
PullError
301
Some error occurred while retrieving events from Darktrace server.
An error occured apart from HTTP while making request to the server
Reach out to the developer with the exact error message
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
...
title
Verify collector operations
Initialization
The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.
A successful run has the following output messages for the initializer module:
Code Block
2023-03-27T16:22:07.976 INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-1-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-03-27T16:22:07.976 INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-03-27T16:22:07.976 INFO MainProcess::MainThread -> "/etc/devo/job" does not exists
2023-03-27T16:22:07.977 INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-03-27T16:22:07.977 INFO MainProcess::MainThread -> "/etc/devo/collector" does not exists
2023-03-27T16:22:07.977 INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "/Users/krishan.dhingra/devo/github/devo-collector-darktrace/config/config-1-local.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-03-27T16:22:08.080 INFO MainProcess::MainThread -> Build time: "UNKNOWN", OS: "macOS-12.6.1-x86_64-i386-64bit", collector(name:version): "darktrace_collector:1.0.0", owner: "aaa.bbb@domain.com", started at: "2023-03-27T10:52:08.059847Z"
2023-03-27T16:22:08.092 INFO MainProcess::MainThread -> Initialized all object from "MainProcess" process
Events delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.
A successful run has the following output messages for the initializer module:
The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:
...
Sender services
...
Description
...
internal_senders
...
In charge of delivering internal metrics to Devo such as logging traces or metrics.
...
standard_senders
...
In charge of delivering pulled events to Devo.
Sender statistics
Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
...
Logging trace
...
Description
...
Number of available senders: 1
...
Displays the number of concurrent senders available for the given Sender Service.
...
sender manager internal queue size: 0
...
Displays the items available in the internal sender queue.
Info
This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.
...
Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds
...
Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:
44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.
Info
By default these traces will be shown every 10 minutes.
int
Optional
Minimum length: 1
This value allows you to set the intervals in which the data pulling will be divided, starting from the start date. This will overwrite the default value (60 minutes)
<request_period_in_seconds>
int
Optional
Minimum Length 1
Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds).
Rw tab
title
On-premise collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
Parameter
Data type
Type
Value range
Details
<collector_id>
int
Mandatory
Minimum length: 1
Maximum length: 5
Use this param to give an unique id to this collector.
<collector_name>
str
Mandatory
Minimum length: 1
Maximum length: 10
Use this param to give a valid name to this collector.
Use this param to identify the Devo Cloud where the events will be sent.
<chain_filename>
str
Mandatory
Minimum length: 4
Maximum length: 20
Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt
<cert_filename>
str
Mandatory
Minimum length: 4
Maximum length: 20
Use this param to identify the file.cert downloaded from your Devo domain.
<key_filename>
str
Mandatory
Minimum length: 4
Maximum length: 20
Use this param to identify the file.key downloaded from your Devo domain.
<short_unique_id>
int
Mandatory
Minimum length: 1
Maximum length: 5
Use this param to give an unique id to this input service.
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
<input_status>
bool
Mandatory
false / true
If the value is true, the input definition will be executed. If the value is false, the service will be ignored.
<public_token>
str
Mandatory
Minimum length: 1
Public Token of the Darktrace server
<private_token>
str
Mandatory
Minimum length: 1
Private Token of the Darktrace server
<instance>
str
Mandatory
Minimum length: 1
Instance value for the Darktrace server. Suppose the base URL is https://azeus1-75836-01.cloud.darktrace.com/ , so instance value will be azeus1-75836-01.cloud.darktrace.com
<request_period_in_seconds>
int
Optional
Minimum length: 1
Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)
<override_devo_tag>
str
Optional
A devo tag
This parameter allows to define a custom devo tag.
<start_time_in_utc_format>
str
Optional
Minimum length: 1
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
<override_time_window_interval_in_minutes>
int
Optional
Minimum length: 1
This value allows you to set the intervals in which the data pulling will be divided, starting from the start date. This will overwrite the default value (60 minutes)
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Replace <product_name>, <image_name> and <version> with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note
Replace <product_name>, <image_name> and <version> with the proper values.
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Events service
Expand
title
Verify data collection
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Code Block
2024-11-19T11:32:18.920 INFO InputProcess::MainThread -> CollectorDarktracePullerSetup(darktrace#122312,summarystatistics#predefined) -> Starting thread
2024-11-19T11:32:18.920 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) - Starting thread
2024-11-19T11:32:18.922 WARNING InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Waiting until setup will be executed
2024-11-19T11:32:18.923 INFO InputProcess::MainThread -> InputMetricsThread -> Started thread for updating metrics values (update_period=10.0)
2024-11-19T11:32:18.945 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.945 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/df8895fef2a509cbd87fcc9850dc0c81"
2024-11-19T11:32:18.946 INFO OutputProcess::MainThread -> OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/OutputLookupConsumer;lookup_senders;0.json.gz
2024-11-19T11:32:18.946 INFO OutputProcess::MainThread -> OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.947 INFO OutputProcess::MainThread -> OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/865a79c1b99ad39b22becc235c9732cb"
2024-11-19T11:32:18.947 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSenderManager;internal_senders;devo_us_1.json.gz
2024-11-19T11:32:18.948 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.948 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/34012509abf2225d01ba2e6297651032"
2024-11-19T11:32:18.949 INFO InputProcess::MainThread -> [GC] global: 24.6% -> 24.7%, process: RSS(62.17MiB -> 62.54MiB), VMS(522.05MiB -> 522.05MiB)
2024-11-19T11:32:18.949 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "vendor_requests" created: "Number of requests received from the vendor API", unit: "requests"
2024-11-19T11:32:18.950 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_incoming_received" created: "Number of messages received from the vendor API", unit: "1"
2024-11-19T11:32:18.950 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSender;internal_senders;devo_sender_0.json.gz
2024-11-19T11:32:18.950 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_incoming_removed" created: "Number of messages removed by the collector", unit: "1"
2024-11-19T11:32:18.950 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_incoming_filtered" created: "Number of messages filtered by the collector", unit: "1"
2024-11-19T11:32:18.951 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_standard_counter" created: "Number of messages enqueued", unit: "1"
2024-11-19T11:32:18.951 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_standard_bytes" created: "Number of bytes enqueued", unit: "1"
2024-11-19T11:32:18.951 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_lookup_counter" created: "Number of messages enqueued", unit: "1"
2024-11-19T11:32:18.951 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_lookup_bytes" created: "Number of messages enqueued", unit: "1"
2024-11-19T11:32:18.951 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_internal_counter" created: "Number of messages enqueued in the queue", unit: "1"
2024-11-19T11:32:18.951 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.952 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/4ff7b345dc444ac050cf75f93e5dcb3b"
2024-11-19T11:32:18.952 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_enqueued_internal_bytes" created: "Number of messages enqueued in the queue", unit: "1"
2024-11-19T11:32:18.952 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Gauge "module_global_status" created: "Global status of current module", unit: "1"
2024-11-19T11:32:18.952 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/OutputInternalConsumer;internal_senders;0.json.gz
2024-11-19T11:32:18.953 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.953 INFO OutputProcess::MainThread -> OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/10dd360c86621afd5a28a029a0dddcf6"
2024-11-19T11:32:18.953 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2024-11-19T11:32:18.953 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_us_1) -> Starting thread (every 300 seconds)
2024-11-19T11:32:18.954 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> Starting thread
2024-11-19T11:32:18.954 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.954 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.954 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
2024-11-19T11:32:18.955 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Starting thread (every 300 seconds)
2024-11-19T11:32:18.955 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.955 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.955 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> Starting thread
2024-11-19T11:32:18.955 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.955 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.956 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
2024-11-19T11:32:18.956 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.956 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.957 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Starting thread (every 300 seconds)
2024-11-19T11:32:18.957 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.957 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.957 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> Starting thread
2024-11-19T11:32:18.957 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.958 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.958 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.958 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Recovering any available content from the persistence system
2024-11-19T11:32:18.958 INFO OutputProcess::MainThread -> OutputMetricsThread -> Started thread for updating metrics values (update_period=10.0)
2024-11-19T11:32:18.959 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.959 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.960 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_sent_counter" created: "Number of messages sent to the defined output", unit: "1"
2024-11-19T11:32:18.960 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:18.960 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Elapsed seconds: 0.00
2024-11-19T11:32:18.978 INFO OutputProcess::MainThread -> [GC] global: 24.7% -> 24.7%, process: RSS(62.03MiB -> 62.16MiB), VMS(1.07GiB -> 1.07GiB)
2024-11-19T11:32:18.979 INFO MainProcess::MetricsConsumerThread -> OpenTelemetryServer -> [METRIC] Counter "msg_sent_bytes" created: "Number of bytes sent to the defined output", unit: "1"
2024-11-19T11:32:19.318 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/md_tausif/gitlab/devo-collector-darktrace/certs/chain.crt", "cert_path": "/home/md_tausif/gitlab/devo-collector-darktrace/certs/int-if-integrations-india.crt", "key_path": "/home/md_tausif/gitlab/devo-collector-darktrace/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "140102146981120"
2024-11-19T11:32:19.319 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Nothing available in the persistence system
2024-11-19T11:32:19.658 INFO InputProcess::CollectorDarktracePullerSetup(darktrace#122312,summarystatistics#predefined) -> Setup for module <StatelessServicePuller> has been successfully executed
Puller output
A successful initial run has the following output messages for the puller module:
Note that the PrePull action is executed only one time before the first run of the Pull action.
Code Block
2024-11-19T11:33:19.949 INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Pull Started
2024-11-19T11:33:20.797 INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1731996199949):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 1.180.
2024-11-19T11:33:20.797 INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1731996199949):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 1.179.
2024-11-19T11:33:20.798 INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> The data is up to date!
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Code Block
2024-11-19T11:33:20.797 INFO InputProcess::StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1731996199949):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 1.179.
Expand
title
Restart the persistence
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the start_time_in_utc_format parameter to a different one.
Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
Expand
title
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Error type
Error ID
Error Message
Cause
Solution
SetupError
100
Error occurred while requesting from the Darktrace server. Error message: {e}
Darktrace API call is failing
Ensure that the collector has the necessary permissions to access the Darktrace API and cnotact the developer with exact erro rmessage
SetupError
101
The tokens provided are incorrect. Please specify the correct credentials. Error message {e}
Darktrace API call is failing
Check the credentials and ensure that the collector has the necessary permissions to access the Darktrace API.
SetupError
102
The provided tokens are valid but they do not have the permission to get data: Error message {e}
Darktrace API call is failing
Contact the Developer with exact error message
SetupError
103
Unexpected HTTP error occurred at the Darktrace server. status code, {status_code} error: {e}
Darktrace API call is failing
Contact the Developer with exact error message
PullError
300
HTTP Error occurred while retrieving events from Darktrace server: summary {summary} details {details}
Darktrace API call is failing
Contact the Developer with exact error message
PullError
301
Some error occurred while retrieving events from Darktrace server. Error details: {e}
Darktrace API call is failing
Contact the Developer with exact error message
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Expand
title
Verify collector operations
Initialization
The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.
A successful run has the following output messages for the initializer module:
Code Block
2024-11-19T11:32:18.861 INFO MainProcess::MainThread -> Initialized all object from "MainProcess" process
2024-11-19T11:32:18.861 INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=120s)
2024-11-19T11:32:18.862 INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=120s)
2024-11-19T11:32:18.864 INFO MainProcess::MainThread -> [METRIC] Metric consumer started
2024-11-19T11:32:18.864 INFO MainProcess::WebServiceThread -> Starting WebServiceThread, ip-port: 0.0.0.0:3000
2024-11-19T11:32:18.864 INFO OutputProcess::MainThread -> Process started (pid=10747, ppid=10725, multiprocessing.start_method="fork")
2024-11-19T11:32:18.865 INFO MainProcess::MainThread -> Started all objects from "MainProcess" process
2024-11-19T11:32:18.866 INFO InputProcess::MainThread -> Process started (pid=10751, ppid=10725, multiprocessing.start_method="fork")
2024-11-19T11:32:18.907 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/darktrace;122312;summarystatistics;predefined;StatelessServicePuller.json
2024-11-19T11:32:18.907 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSenderManager;standard_senders;devo_us_1.json.gz
2024-11-19T11:32:18.908 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.908 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 2), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/2aab77e60889f09b633d3d970ef2df68"
2024-11-19T11:32:18.908 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/b4d7611b788af2ad262f3ade0720cbc6"
2024-11-19T11:32:18.908 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.908 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] Checking if old persisted data must be removed
2024-11-19T11:32:18.908 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/36bed5fef9b856fc6b18255b004526be"
2024-11-19T11:32:18.908 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists (Version 2), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/2aab77e60889f09b633d3d970ef2df68"
2024-11-19T11:32:18.908 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) -> [PERSISTENCE_SYSTEM] No previous persistence file exists (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/b4d7611b788af2ad262f3ade0720cbc6"
2024-11-19T11:32:18.909 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) Starting the execution of init_variables()
2024-11-19T11:32:18.910 INFO InputProcess::MainThread -> Validating service metadata
2024-11-19T11:32:18.911 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSender;standard_senders;devo_sender_0.json.gz
2024-11-19T11:32:18.911 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.912 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/b1ee30ea2c4b3be1eb50c8b2ca80d8d8"
2024-11-19T11:32:18.912 INFO InputProcess::MainThread -> Validating defined module definition
2024-11-19T11:32:18.913 INFO OutputProcess::MainThread -> OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/OutputStandardConsumer;standard_senders;0.json.gz
2024-11-19T11:32:18.914 INFO OutputProcess::MainThread -> OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.914 INFO OutputProcess::MainThread -> OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/de28663278a264d05d531fbc1db51a93"
2024-11-19T11:32:18.916 INFO InputProcess::MainThread -> Validating common input config
2024-11-19T11:32:18.916 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSenderManager;lookup_senders;devo_us_1.json.gz
2024-11-19T11:32:18.916 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] There is no data persisted with the latest format, any previous persisted data will be migrated
2024-11-19T11:32:18.916 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> [EMERGENCY_PERSISTENCE_SYSTEM] No previous persistence file exists to migrate (Version 1), filename_path: "/home/md_tausif/gitlab/devo-collector-darktrace/state/08a1a86d62177fc610df30a3ea72219c"
2024-11-19T11:32:18.917 INFO InputProcess::MainThread -> Validating service input config
2024-11-19T11:32:18.918 INFO InputProcess::MainThread -> Running overriding rules
2024-11-19T11:32:18.918 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> [EMERGENCY_PERSISTENCE_SYSTEM] Created persistence instance, filename_path: /home/md_tausif/gitlab/devo-collector-darktrace/state/not_used/DevoSender;lookup_senders;devo_sender_0.json.gz
2024-11-19T11:32:18.918 INFO InputProcess::MainThread -> Overriding rule #1 - service key <override_tag> with value <my.app.devo.com> overrides definition key <devo_tag> with value <None> when the first is not <None>
2024-11-19T11:32:18.918 INFO InputProcess::MainThread -> Validating the rate limiter config given by the user
2024-11-19T11:32:18.918 INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead.
2024-11-19T11:32:18.919 INFO InputProcess::MainThread -> Adding raw config to the collector store
2024-11-19T11:32:18.919 INFO InputProcess::MainThread -> Running custom validation rules
2024-11-19T11:32:18.919 INFO InputProcess::MainThread -> StatelessServicePuller(darktrace#122312,summarystatistics#predefined) Finalizing the execution of init_variables()
Events delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.
A successful run has the following output messages for the initializer module:
Code Block
2024-11-19T11:47:18.956 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Number of available senders: 1, sender manager internal queue size: 0
2024-11-19T11:47:18.956 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2024-11-19T11:47:18.956 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Sender: DevoSender(lookup_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": False}
2024-11-19T11:47:18.956 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Lookup - Total number of messages sent: 0, messages sent since "2024-11-19 06:12:18.956130+00:00": 0 (elapsed 0.000 seconds)
2024-11-19T11:47:18.958 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Number of available senders: 1, sender manager internal queue size: 1
2024-11-19T11:47:18.958 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2024-11-19T11:47:18.958 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Sender: DevoSender(internal_senders,devo_sender_0), status: {"internal_queue_size": 1, "is_connection_open": True}
2024-11-19T11:47:18.958 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Internal - Total number of messages: 114 messages/bytes sent since/to "2024-11-19T06:12:18.957991+00:00/2024-11-19T06:17:18.958475+00:00": 28/13408, (elapsed 0.002 seconds)
Sender services
The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:
Sender services
Description
internal_senders
In charge of delivering internal metrics to Devo such as logging traces or metrics.
standard_senders
In charge of delivering pulled events to Devo.
Sender statistics
Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace
Description
Number of available senders: 1
Displays the number of concurrent senders available for the given Sender Service.
sender manager internal queue size: 0
Displays the items available in the internal sender queue.
Info
This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.
Standard - Total number of messages sent: 0, messages sent since "2024-11-19 06:12:18.956130+00:00": 0 (elapsed 0.000 seconds
Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:
44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.
Info
By default these traces will be shown every 10 minutes.
Expand
title
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory