Page Comparison

...

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

...

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

1. In the Collector Server GUI, access the domain in which you want this instance to be created

2. Click Add Collector and find the one you wish to add.

3. In the Version field, select the latest value.

4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "proofpoint_on_demand": {
       │"id": "<short_unique_id>",
  ├── <your_domain>.key   "enabled": true,
    │  "credentials": └──{
<your_domain>.crt         ├── state/"cluster_id": "<cluster_id>",
         └── config/"api_key": "<api_key>"
      },
      "environment": "prod",
     └── config.yaml 

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Removed

Editing the config.yaml file

globals:
  debug: false
  id: not_used
  name: proofpoint-on-demand
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-us.devo.io
      port: 443 "services": {
        "message": {
          "request_period_in_seconds": "<request_period_in_seconds>",
          "start_time": "<start_time_utc>",
          "override_tag_base": "<override_tag_base>",
          "override_url_base": "<override_url_base>"
        },
        "maillog": {
          "request_period_in_seconds": "<request_period_in_seconds>",
      type: SSL   "start_time": "<start_time_utc>",
  chain: chain.crt       cert"override_tag_base": <devo_domain>.crt"<override_tag_base>",
       key: <devo_domain>.key  inputs"override_url_base":   proofpoint_on_demand:"<override_url_base>"
    id: <unique_id>   }
 enabled: true    }
credentials:    }
  cluster_id: <cluster_id_value>
      api_key: <api_key_value>
    environment: prod
    services:
      message:
        request_period_in_seconds: <request_period_in_seconds>
        start_time: <start_time_utc>
        override_tag_base: <override_tag_base>
        override_url_base: <override_url_base>
      maillog:
        request_period_in_seconds: <request_period_in_seconds>
        start_time: <start_time_utc>
        override_tag_base: <override_tag_base>
        override_url_base: <override_url_base>

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range

Details

collector_id

str

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this collector.

collector_name

str

Mandatory

Minimum length: 1
Maximum length: 10

Use this param to give a valid name to this collector.

multiprocessing_mode

bool

Mandatory

false / true

If the value is true, the collector will run using a multiprocessing architecture. If the value is false, the collector will use only one CPU.

devo_address

str

Mandatory

collector-us.devo.io
collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the chain.cert  file downloaded from your Devo domain. Usually this file's name is: chain.crt

cert_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

api_token

str

Mandatory

Any

API token to authenticate to the service.

period_in_seconds

int

Mandatory

Minimum length: 1

Recommended value: 60

This parameter allows you to customize this behavior for each service. As this collector uses websockets, this is the period elapsed between reconnections.

start_time

int

Mandatory

Following RFC 3339: %Y-%m-%dT%H:%M:%S.%f%z

Example: 2024-04-04T05:50:00.000-0500

Initial time period used when fetching data from the endpoint.

override_tag_base

str

Optional

str.str.str.str

Example: mail.proofpoint.pod.maillog

This parameter allows to override the destination table in Devo.

override_url_base

str

Optional

Valid connection URL

This parameter allows to change the connection URL to the websocket

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-proofpoint_pod-docker-image-1.1.0

473b77663e550fed0d807f0e002647936a97d9872c4931f73fcbe28e9498de67

Use the following command to add the Docker image to the system:

gunzip -c <image_file>-<version>.tgz | docker load

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

IMAGE_VERSION=<version> docker-compose up -d

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

1. In the Collector Server GUI, access the domain in which you want this instance to be created

2. Click Add Collector and find the one you wish to add.

3. In the Version field, select the latest value.

4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "proofpoint_on_demand": {
      "id": "<short_unique_id>",
      "enabled": true,
      "credentials": {
        "cluster_id": "<cluster_id>",
        "api_key": "<api_key>"
      },
      "environment": "prod",
      "services": {
        "message": {
          "request_period_in_seconds": "<request_period_in_seconds>",
          "start_time": "<start_time_utc>",
          "override_tag_base": "<override_tag_base>",
          "override_url_base": "<override_url_base>"
        },
        "maillog": {
          "request_period_in_seconds": "<request_period_in_seconds>",
          "start_time": "<start_time_utc>",
          "override_tag_base": "<override_tag_base>",
          "override_url_base": "<override_url_base>"
        }
      }
    }
  }
}

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Please replace the placeholders with real world values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

enabled

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

cluster_id

str

Mandatory

Any

Cluster id to get data from.

api_key

str

Mandatory

Any

API key to authenticate to the service.

request_period_in_seconds

int

Mandatory

Minimum length: 1

This parameter allows you to customize this behavior for each service.

start_time

int

Mandatory

Following RFC 3339: %Y-%m-%dT%H:%M:%S.%f%z

Example: 2024-04-04T05:50:00.000-0500

Initial time period used when fetching data from the endpoint.

override_tag_base

str

Optional

str.str.str.str

Example: mail.proofpoint.pod.maillog

This parameter allows to override the destination table in Devo.

override_url_base

str

Optional

Valid connection URL

This parameter allows to change the connection URL to the websocket

Change log

...

Release

...

Released on

...

Release type

...

Details

} } All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object. Please replace the placeholders with real world values following the description table below: Parameter Data type Type Value range / Format Details input_id int Mandatory Minimum length: 1 Maximum length: 5 Use this param to give an unique id to this input service. enabled bool Mandatory false / true If the value is true, the input definition will be executed. If the value is false, the service will be ignored. cluster_id str Mandatory Any Cluster id to get data from. api_key str Mandatory Any API key to authenticate to the service. request_period_in_seconds int Mandatory Minimum length: 1 This parameter allows you to customize this behavior for each service. start_time int Mandatory Following RFC 3339: %Y-%m-%dT%H:%M:%S.%f%z Example: 2024-04-04T05:50:00.000-0500 Initial time period used when fetching data from the endpoint. Note Due to the large amount of data produced by this service, using this parameter is discouraged except in special cases. This parameter can be left blank, removed or commented. override_tag_base str Optional str.str.str.str Example: mail.proofpoint.pod.maillog This parameter allows to override the destination table in Devo. override_url_base str Optional Valid connection URL This parameter allows to change the connection URL to the websocket Rw tab title On-premise collector This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. Structure The following directory structure should be created for being used when running the collector: Code Block <any_directory> └── devo-collectors/ └── <product_name>/ ├── certs/ │ ├── chain.crt │ ├── <your_domain>.key │ └── <your_domain>.crt ├── state/ └── config/ └── config.yaml Note Replace <product_name> with the proper value. Devo credentials In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here. Image Added Note Replace <product_name> with the proper value. Editing the config.yaml file Code Block globals: debug: false id: not_used name: proofpoint-on-demand persistence: type: filesystem config: directory_name: state outputs: devo_1: type: devo_platform config: address: collector-us.devo.io port: 443 type: SSL chain: chain.crt cert: <devo_domain>.crt key: <devo_domain>.key inputs: proofpoint_on_demand: id: <unique_id> enabled: true credentials: cluster_id: <cluster_id_value> api_key: <api_key_value> environment: prod services: message: request_period_in_seconds: <request_period_in_seconds> start_time: <start_time_utc> override_tag_base: <override_tag_base> override_url_base: <override_url_base> maillog: request_period_in_seconds: <request_period_in_seconds> start_time: <start_time_utc> override_tag_base: <override_tag_base> override_url_base: <override_url_base> Info All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object. Replace the placeholders with your required values following the description table below: Parameter Data type Type Value range Details collector_id str Mandatory Minimum length: 1 Maximum length: 5 Use this param to give an unique id to this collector. collector_name str Mandatory Minimum length: 1 Maximum length: 10 Use this param to give a valid name to this collector. multiprocessing_mode bool Mandatory false / true If the value is true, the collector will run using a multiprocessing architecture. If the value is false, the collector will use only one CPU. devo_address str Mandatory collector-us.devo.io collector-eu.devo.io Use this param to identify the Devo Cloud where the events will be sent. chain_filename str Mandatory Minimum length: 4 Maximum length: 20 Use this param to identify the chain.cert  file downloaded from your Devo domain. Usually this file's name is: chain.crt cert_filename str Mandatory Minimum length: 4 Maximum length: 20 Use this param to identify the file.cert downloaded from your Devo domain. key_filename str Mandatory Minimum length: 4 Maximum length: 20 Use this param to identify the file.key downloaded from your Devo domain. input_id int Mandatory Minimum length: 1 Maximum length: 5 Use this param to give an unique id to this input service. api_token str Mandatory Any API token to authenticate to the service. period_in_seconds int Mandatory Minimum length: 1 Recommended value: 60 This parameter allows you to customize this behavior for each service. As this collector uses websockets, this is the period elapsed between reconnections. start_time int Mandatory Following RFC 3339: %Y-%m-%dT%H:%M:%S.%f%z Example: 2024-04-04T05:50:00.000-0500 Initial time period used when fetching data from the endpoint. override_tag_base str Optional str.str.str.str Example: mail.proofpoint.pod.maillog This parameter allows to override the destination table in Devo. override_url_base str Optional Valid connection URL This parameter allows to change the connection URL to the websocket Download the Docker image The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table: Collector Docker image SHA-256 hash collector-proofpoint_pod-docker-image-1.2.2 d78e822e508ec1123a7c5bc91d990db688554eb6328f4b098acb6316b5919a1b Use the following command to add the Docker image to the system: Code Block gunzip -c <image_file>-<version>.tgz | docker load Note Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value. The Docker image can be deployed on the following services: Docker Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/ Code Block docker run --name collector-<product_name> --volume $PWD/certs:/devo-collector/certs --volume $PWD/config:/devo-collector/config --volume $PWD/state:/devo-collector/state --env CONFIG_FILE=config.yaml --rm --interactive --tty <image_name>:<version> Note Replace <product_name>, <image_name> and <version> with the proper values. Docker Compose The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory. Code Block version: '3' services: collector-<product_name>: image: <image_name>:${IMAGE_VERSION:-latest} container_name: collector-<product_name> volumes: - ./certs:/devo-collector/certs - ./config:/devo-collector/config - ./credentials:/devo-collector/credentials - ./state:/devo-collector/state environment: - CONFIG_FILE=${CONFIG_FILE:-config.yaml} To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory: Code Block IMAGE_VERSION=<version> docker-compose up -d Note Replace <product_name>, <image_name> and <version> with the proper values.

API limits and duplicates

Number of connections

The number of connections that can be performed with one credential set is limited. The credentials cannot pull data from more sources than the defined ones. If the access token is being used by another session, the API will return a 409 error: Exceeded maximum number of sessions per token.

The collector logs will show this error:

2024-08-09T10:48:10.163   ERROR InputProcess::ProofpointOnDemandWSSPuller(proofpoint_on_demand,12345,message,predefined) -> Handshake status 409 Conflict -+-+- {'date': 'Fri, 09 Aug 2024 08:48:10 GMT', 'content-type': 'text/plain;charset=iso-8859-1', 'content-length': '47'} -+-+- b'Exceeded maximum number of sessions per token\r\n' - goodbye

Duplicated events

It was observed that the API sometimes sends duplicate events. The collector can filter out duplicate events within an hour.

Change log