...
| Rw ui tabs macro | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector: Code Block | To enable the collector for a customer:
Editing the JSON configuration
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in 
Editing the config.yaml file
Replace the placeholders with your required values following the description table below: | |||||||||||||||||||||
Parameter | Data Type | Type | Value Range | Details | ||||||||||||||||||
|
|
|
| If the value is | ||||||||||||||||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this collector. | ||||||||||||||||||
|
|
| Minimum length: 1 | Use this param to give a valid name to this collector. | ||||||||||||||||||
|
|
|
| Use this param to identify the Devo Cloud where the events will be sent. | ||||||||||||||||||
|
|
| Minimum length: 4 | Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||||||||||||||||||
|
|
| Minimum length: 4 | Use this param to identify the | ||||||||||||||||||
|
|
| Minimum length: 4 | Use this param to identify the | ||||||||||||||||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this input service.
| ||||||||||||||||||
|
|
|
| If the value is true, the input definition will be executed. If the value is false, the service will be ignored. | ||||||||||||||||||
|
|
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used:
| ||||||||||||||||||
|
|
| The URL must comply with the following format:
| Use this param to define the URL used by the collector to pull data. Take into account that
| ||||||||||||||||||
|
|
| Minimum length: 1 | Set up here your access token provided by Recorded Future. | ||||||||||||||||||
|
|
| Minimum data sources: 1 | This configuration allows you to define what data sources will be pulled.
How to pull all available data sources:
How to pull specific data sources:
| ||||||||||||||||||
Collector Docker image | SHA-256 hash | |||||||||||||||||||||
|
| Code Block |
|---|
gunzip -c <image_file>-<version>.tgz | docker load |
| Note |
|---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
| Code Block |
|---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
| Note |
|---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
| Code Block |
|---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
| Code Block |
|---|
IMAGE_VERSION=<version> docker-compose up -d |
| Note |
|---|
Replace |
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Lookup puller service
The only service available in this collector is lookup_puller. It contains 6 different pullers:
IpAddressLookupPuller
FileHashLookupPuller
DomainLookupPuller
UrlLookupPuller
VulnerabilityLookupPuller
PublicUkraineRussiaIpsLookupPuller
| Expand | ||
|---|---|---|
| ||
All events of this service are ingested into these tables:
|
| Expand | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console. This service has the following components: | ||||||||||
Component | Description | |||||||||
Setup | The setup module is in charge of authenticating the service and managing the token expiration when needed. | |||||||||
Puller | The setup module is in charge of pulling the data in a organized way and delivering the events via SDK. |
| Code Block |
|---|
INFO InputProcess::DataPullerSetup(collector,data_puller#111,issues#predefined) -> Puller Setup Started
INFO InputProcess::DataPullerSetup(collector,data_puller#111,issues#predefined) -> successfully generated new access token
INFO InputProcess::DataPullerSetup(collector,data_puller#111,issues#predefined) -> The credentials provided in the configuration have required permissions to request issues from server
INFO InputProcess::DataPullerSetup(collector,data_puller#111,issues#predefined) -> Puller Setup Terminated
INFO InputProcess::DataPullerSetup(collector,data_puller#111,issues#predefined) -> Setup for module <DataPuller> has been successfully executed |
Puller output
A successful initial run has the following output messages for the puller module:
| Info |
|---|
Note that the |
| Code Block |
|---|
| Info |
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Please replace the placeholders with real world values following the description table below:
Parameter | Data Type | Type | Value Range / Format | Details | ||||
|
|
|
| If the value is | ||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this input service.
| ||||
|
|
|
| If the value is | ||||
|
|
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used: This parameter should be removed if it is not used. | ||||
|
|
| The URL must comply with the following format:
| Use this param to define the URL used by the collector to pull data. Take into account that This parameter is used for | ||||
|
|
| Minimum length: 1 | Set up here your access token provided by Recorded Future. | ||||
|
|
| Minimum data sources: 1 | This configuration allows you to define what data sources will be pulled. Keep in mind that each data source has different refresh times associated with it:
How to pull all available data sources:
How to pull specific data sources:
|
| Rw tab | ||
|---|---|---|
|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
| Code Block |
|---|
<any_directory>
└── devo-collectors/
└── <product_name>/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
├── state/
└── config/
└── config.yaml |
| Note |
|---|
Replace |
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
| Note |
|---|
Replace |
Editing the config.yaml file
| Code Block | ||
|---|---|---|
| ||
globals:
debug: <debug_status>
id: <collector_id>
name: <collector_name>
persistence:
type: filesystem
config:
directory_name: state
outputs:
devo_1:
type: devo_platform
config:
address: <devo_address>
port: 443
type: SSL
chain: <chain_filename>
cert: <cert_filename>
key: <key_filename>
inputs:
recorded_future:
id: <input_id>
enabled: <input_status>
requests_per_second: <requests_per_second>
base_url: <base_url>
api_token: <api_token_value>
services:
lookup_puller:
# Intelligence Types Not Required Can Be Removed / Commented Out
types:
- <list_of_sources> |
| Info |
|---|
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Replace the placeholders with your required values following the description table below:
Parameter | Data Type | Type | Value Range | Details | ||||||
|
|
|
| If the value is | ||||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this collector. | ||||||
|
|
| Minimum length: 1 | Use this param to give a valid name to this collector. | ||||||
|
|
|
| Use this param to identify the Devo Cloud where the events will be sent. | ||||||
|
|
| Minimum length: 4 | Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||||||
|
|
| Minimum length: 4 | Use this param to identify the | ||||||
|
|
| Minimum length: 4 | Use this param to identify the | ||||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this input service.
| ||||||
|
|
|
| If the value is true, the input definition will be executed. If the value is false, the service will be ignored. | ||||||
|
|
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used:
| ||||||
|
|
| The URL must comply with the following format:
| Use this param to define the URL used by the collector to pull data. Take into account that
| ||||||
|
|
| Minimum length: 1 | Set up here your access token provided by Recorded Future. | ||||||
|
|
| Minimum data sources: 1 | This configuration allows you to define what data sources will be pulled.
How to pull all available data sources:
How to pull specific data sources:
|
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Collector Docker image | SHA-256 hash |
|---|---|
|
Use the following command to add the Docker image to the system:
| Code Block |
|---|
gunzip -c <image_file>-<version>.tgz | docker load |
| Note |
|---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
| Code Block |
|---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
| Note |
|---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
| Code Block |
|---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
| Code Block |
|---|
IMAGE_VERSION=<version> docker-compose up -d |
| Note |
|---|
Replace |
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Lookup puller service
The only service available in this collector is lookup_puller. It contains 6 different pullers:
IpAddressLookupPuller
FileHashLookupPuller
DomainLookupPuller
UrlLookupPuller
VulnerabilityLookupPuller
PublicUkraineRussiaIpsLookupPuller
| Expand | ||
|---|---|---|
| ||
All events of this service are ingested into these tables:
|
| Expand | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console. This service has the following components:
Setup outputA successful run has the following output messages for the setup module:
Puller outputA successful initial run has the following output messages for the puller module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
|
| Expand | ||
|---|---|---|
| ||
This collector does not persist in any data. |
...
| title | Troubleshooting |
|---|
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
...
ErrorType
...
Error Id
...
Error Message
...
Cause
...
Solution
...
ConnectionError
...
-
...
Error retrieving data from API with response code {status_code}. This pull iteration did not produce any results.
...
Response’s status code is different to 200. The cause depends on the status code received. These are some of the most common status codes:
401: Unauthorized. Invalid credentials.403: Forbidden. Not allowed to perform this action.404: Not found. Invalid endpoint URL.429: Too may requests. API’s Rate Limiter has been exceeded.
...
Depending on the value of the status code, solutions for the most common error could be:
401: Try valid credentials.403: Try some credentials with privileges to make these requests.404: Try a valid endpoint.429: Setrequests_per_secondparameter in config file to a lower value.
...
LookupError
...
-
...
All lookups have been rejected. ETL aborted!
...
The collected messages has an unexpected format.
...
This errors are expected as some data sources will not match the expected and accepted format.
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
| Expand | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
InitializationThe initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration. A successful run has the following output messages for the initializer module:
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
|
| Expand | ||
|---|---|---|
| ||
This collector does not persist in any data. |
| Expand | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
|
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
| Expand | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
InitializationThe initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration. A successful run has the following output messages for the initializer module:
Events delivery and Devo ingestionThe event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:
Sender servicesThe Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (
Sender statisticsEach service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
|
...
Release
...
Released on
...
Release type
...
Details
...
| Expand | ||||
|---|---|---|---|---|
| ||||
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
|
| Expand | ||
|---|---|---|
| ||
Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode. |
Change log
|
| Expand | ||
|---|---|---|
| ||
Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode. |
Change log
Release | Released on | Release type | Details | Recommendations | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
| |||||||||||||
|
|
| Recommended version
| |||||||||||||
|
| Updated DCSDK from 1.1.4 to 1.9.1: https://devoinc.atlassian.net/wiki/spaces/IF/pages/3901620225 | Recommended version
| |||||||||||||
|
| Added new custom data sources from
| Recommended version
| |||||||||||||
|
| This release includes:
|
| |||||||||||||
|
| Initial release with the following
|
|