To run this collector, there are some configurations detailed below that you need to consider.
Configuration
Details
Azure account
Azure account with admin level permissions and Azure AD tenant.
Credentials
The credentials configuration block has been filled correctly.
More information
Refer to the Vendor setup section to know more about these configurations.
Overview
The Microsoft Graph Collector provides the ability to collect data and intelligence from services such as Microsoft 365, Windows, and Enterprise Mobility and Security. This data collector is able to ingest security alerts, scores, provisioning, audit, and sign-ins retrieved from Microsoft products, allowing you to empower streamlined security operations and better defend against threats faced in Azure AD and Microsoft 365 environments.
Devo collector features
Feature
Details
Allow parallel downloading (multipod)
Allowed
Running environments
Collector server
On-premise
Populated Devo events
Table
Flattening preprocessing
No
Data sources
Data source
Description
API endpoint
Collector service name
Devo table
Available from release
Alerts
Represents potential security issues within a customer’s tenant that Microsoft or partner security solutions have identified.
Refer to Microsoft documentation about Alert Resource Type for more information.
Represents the directory audit items and its collection.
Refer to the Microsoft documentation for more information about Directory audit.
https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge {start_time}&$orderby=activityDateTime+asc&$top={items_per_main_request}
audit
cloud.azure.ad.audit
v1.2.0
Provisioning
Represents an action performed by the Azure AD Provisioning service and its associated properties.
Refer to the Microsoft documentation for more information about Provisioning.
https://graph.microsoft.com/beta/auditLogs/provisioning?$filter=activityDateTime ge {start_time}&$orderby=activityDateTime+asc&$top={items_per_main_request}
provisioning
cloud.azure.ad.audit
v1.2.0
Sign-in
Details user and application sign-in activity for a tenant (directory).
Refer to the Microsoft documentation for more information about Sign-in.
Microsoft Graph data collector works over Microsoft products. To activate the resources from the Microsoft Graph API, you need:
An Azure account that has an active subscription.
The Azure account must have permission to manage applications in Azure Active Directory (Azure AD).
A working Azure AD tenant.
You will need to register a new application and apply the required permissions to the corresponding resources to authenticate the collector in order to retrieve the data.
You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.
Action
Steps
1
Register and configure the application
Go to Azure portal and click on Azure Active Directory.
Click on App registration on the left-menu side. Then click on + New registration.
On the Register and Application page:
Name the application.
Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.
In Redirect URI (optional) leave it as default (blank).
Click Register.
App registration page will open. Click on your app to configure it and give it permissions. You will see your app’s dashboard with information (docs, endpoints, etc.) when clicking it.
Click Authentication on the left-menu side, then choose + Add a platform and select Mobile and desktop application.
Click + Add permission in case you don’t have Microsoft Graph in the API/Permission list.
Select Application permissions and search for Security. Check SecurityEvents.Read.All.
Repeat the same step 3 for AuditLog.Read.All,Directory.Read.All and User.Read. If you did everything correctly, permissions will display.
Select Grant admin consent for the applications.
You do not need to activate permissions if you are not going to use its corresponding resource. Check the Permissions reference per service section for a detailed breakdown on resource and their needed permissions.
3
Obtain the requires credentials for the collector
Go to Certificates & Secrets, select + New client secret . Named it and copy the token value.
Go to Overview to get your Tenant ID and Client ID and copy both values.
The token will display only once. You will need to create another one if you didn’t copy it the first time.
Sometimes you’ll see this error: Unable to save changes. One or more of the following permission(s) are currently not supported: SecurityEvents.Read.All or SecurityActions.Read.All. Please remove these permission(s) and retry your request. [O6b9].
It might that you did not set up the permission correctly. Please, make sure that the permissions are exactly are showing above.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting
Details
tenant_id_value
This is the Tenant’s ID you created in Azure AD. You can obtain it from the Overview page in your registered application.
client_id_value
This is the Client’s ID you created in Azure AD. You can obtain it from the Overview page in your registered application.
client_secret_value
This is the Client’s secret you created in Azure AD. You can obtain it from the Certificates & secrets page in your registered application.
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
Accepted authentication methods
This collector only accepts one single authentication method. You will have to fill the following properties on the credentials configuration block:
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Alerts
Alerts are potential security issues within a customer's tenant that Microsoft or partner security solutions have identified and flagged for action or notification. With the Microsoft Graph alerts entity, you can unify and streamline the management of security issues across all integrated solutions.
Alerts Security Providers:
Microsoft Defender for Cloud
Azure Active Directory Identity Protection
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft 365
Azure Information Protection
Azure Sentinel
Secure Scores
Microsoft Secure Score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. With a single score, you can better understand what you have done to reduce your risk in Microsoft solutions. You can also compare your score with other organizations and see how your score has been trending over time. The Microsoft Graph secureScore and secureScoreControlProfile entities help you balance your organization's security and productivity needs while enabling the appropriate mix of security features. You can also project what your score would be after you adopt security features.
Azure Active Directory reports (Sign-in, Audit, Provisioning)
Azure Active Directory (Azure AD) reports providing a comprehensive view of activity in your environment. The provided data enables you to:
Determine how your apps and services are utilized by your users.
Detect potential risks affecting the health of your environment.
Troubleshoot issues preventing your users from getting their work done.
These reports help you understand the behavior of users in your organization. There are three types of reports that this collector pulls from Azure AD:
Sign-ins: Information about sign-ins and how your resources are used by your users.
Audit: Information about changes applied to your tenants such as users and group management or updates applied to your tenant’s resources.
Provisioning: Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.
Devo categorization and destination
Here you can see how each service that has configurable tagging will tag its events depending on the value of the tag_version parameter:
The tagging is based on the provider. See the next table.
The alerts Service Now uses dynamic tagging based on the event’s provider field. This is the provider/tag correspondence:
Provider
New tagging (v2)
IPC
cloud.azure.ad.alerts.1.msgraph
MCAS
cloud.office365.cloud_apps.alerts.1.msgraph
Microsoft Defender ATP
cloud.office365.security.alerts.1.msgraph
Office 365 Security and Compliance
cloud.azure.sentinel.alerts.1.msgraph
Azure Sentinel
cloud.office365.identity.alerts.1.msgraph
Azure Advanced Threat Protection
cloud.azure.securitycenter.alerts.1.msgraph
If the event comes with a provider that is not present in the table above, the tagging will fall back to the old one (v1).
Events service
Verify data collection
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
Component
Description
Setup
The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
INFO InputProcess::MicrosoftGraphPullerSetup(unknown,microsoft_graph#1,secure_score_control_profile#predefined) -> Access Token has been validated successfully
INFO InputProcess::MicrosoftGraphPullerSetup(unknown,microsoft_graph#1,secure_score_control_profile#predefined) -> Setup for module <MicrosoftGraphNonTimeBasedPuller> has been successfully executed
Puller output
A successful initial run has the following output messages for the puller module:
Note that the PrePull action is executed only one time before the first run of the Pull action.
INFO InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> Sent 2 requests, retrieved all vendor list, detected 1 unique vendors
INFO InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> MicrosoftGraphNonTimeBasedVendorPuller(microsoft_graph#1,secure_score_control_profile#predefined,MicrosoftGraphNonTimeBasedPuller#SecureScore.None) -> Starting thread
INFO InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> Sent 4 requests, messages(received/sent): 274/274, avg_time_per_source_message: 17.177 ms
INFO InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> Data collection completed. Elapsed time: 4.708 seconds. Waiting for 55.292 second(s) until the next one
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
INFO InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> Sent 4 requests, messages(received/sent): 274/274, avg_time_per_source_message: 17.177 ms
The value @devo_pulling_id is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that Pull action in Devo’s search window.
Restart the persistence
his collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can only do that by re-creating a new collector instance from scratch since this collector does not implement a state restart mechanism.
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Common for all services
Error type
Error ID
Error message
Cause
Solution
MicrosoftGraphPullerCredentialsException
1
Invalid tenant. This may happen if there are no active subscriptions for the tenant
The tenant is not valid according to Microsoft AD. Probably, the setup has not been correctly followed.
Revisit the setup instructions and check that all the steps have been correctly followed.
1
Access Token validation has been failed, code: {status_code}, text: {text_str}
There was a problem obtaining the authentication token.
Read the exact error to understand what is the real cause.
2
Access Token not valid or client_id does not exist
There was an unknown problem during the authentication..
Check that the credentials have been correctly set up.
"module_properties" property in service definition must exists / "module_properties" mandatory property is missing or empty
This a programming error that we should not except to happen.
Contact Devo Support.
2
"module_properties" property in service definition must be a dictionary
This a programming error that we should not except to happen.
Contact Devo Support.
3
"resource_type" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
4
"resource_type" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
5
"base_url_main" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
6
"base_url_main" property in service definition must be a string.
This a programming error that we should not except to happen.
Contact Devo Support.
7
"base_url_vendor" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
8
"base_url_vendor" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
9
"tag_base" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
10
"tag_base" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
11
"http_status_valid_codes" property in service definition must exists.
This a programming error that we should not except to happen.
Contact Devo Support.
12
"http_status_valid_codes" property in service definition must be a list
This a programming error that we should not except to happen.
Contact Devo Support.
13
"login_url" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
14
"login_url" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
15
"scope" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
16
"scope" property in service definition must be a string.
This a programming error that we should not except to happen.
Contact Devo Support.
MicrosoftGraphPullerCreationException
37
"tag_version" property for {service_name} from configuration file is not valid, expected: v1, v2 or None
This configuration parameter expects a string with value v1, v2 or null but it has parsed a different type of value.
Ensure that the value for this parameter is a string with value v1, v2 or null.
MicrosoftGraphPullerRetrieveException
1
Not defined "next_page_url"
When retrieving data from the MS Graph API, we expect that each paginated response has a next_page_url property in its JSON. This error occurs when this property was not found.
Enable debug mode and inspect the requested URLs. Try to replicate those to see the response obtained.
When retrieving data from the MS Graph API, we expect that the response code is within the [200-400) range; otherwise (HTTP response code ≥ 400), it will raise this error.
The error will include the response’s text. This should tell you what the problem is. The solution will depend on the type of the problem.
MicrosoftGraphPullerConnectionException
3
Operation timed out: {error_message}
When retrieving data from the MS Graph API, the server took too long to respond and the connection was closed.
Check your network connection and that the MS Graph API is operative.
4
Connection error detected: {error_message}
Some other error regarding the connection with the MS Graph API server occurred.
You should read the actual error message to understand the underlying issue and know how to solve it.
MicrosoftGraphPullerRetrieveException
5
{error_message}
Some unknown error occurred.
You should read the actual error message to understand the underlying issue and know how to solve it.
"base_url_main_only_first_page" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
6
"base_url_main_only_first_page" property in service definition must be a boolean
This a programming error that we should not except to happen.
Contact Devo Support.
7
"base_url_vendor_with_sub_provider" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
8
"base_url_vendor_with_sub_provider" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
17
"base_url_main_items_per_request" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
18
"base_url_main_items_per_request" property in service definition must be an integer
This a programming error that we should not except to happen.
Contact Devo Support.
19
"base_url_main_items_per_request" property in service definition must be a positive value
This a programming error that we should not except to happen.
Contact Devo Support.
17
"base_url_vendor_items_per_request" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
18
"base_url_vendor_items_per_request" property in service definition must be an integer
This a programming error that we should not except to happen.
Contact Devo Support.
19
"base_url_vendor_items_per_request" property in service definition must be a positive value
This a programming error that we should not except to happen.
Contact Devo Support.
20
"max_result_set_size" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
21
"max_result_set_size" property in service definition must be an integer
This a programming error that we should not except to happen.
Contact Devo Support.
22
"max_result_set_size" property in service definition must be a positive value
This a programming error that we should not except to happen.
Contact Devo Support.
24
"legacy_provider_mapping_old_new" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
25
"requests_per_minute" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
26
"requests_per_minute" property in service definition must be an integer
This a programming error that we should not except to happen.
Contact Devo Support.
27
"requests_per_minute" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
28
"requests_per_minute" property in service definition must be an integer
This a programming error that we should not except to happen.
Contact Devo Support.
29
"timestamp_field" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
30
"timestamp_field" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
31
"start_time_regex" property in service definition must exists
This a programming error that we should not except to happen.
Contact Devo Support.
32
"start_time_regex" property in service definition must be a string
This a programming error that we should not except to happen.
Contact Devo Support.
InputConfigurationError
1
"microsoft_graph" mandatory property is missing or empty
The input configuration is missing.
Ensure that the configuration includes an input configuration.
2
"microsoft_graph" property must be a dictionary
The input configuration expects to have a JSON object value, but it has parsed a different type of value.
Ensure that the configuration for this input is a JSON object.
3
"credentials" property in configuration must exists
This configuration parameter is missing.
Ensure that this parameter is present and has a value.
4
"credentials" property in configuration must be a dictionary
This configuration parameter expects a JSON object value, but it has parsed a different type of value.
Ensure that the value for this parameter is a JSON object.
5
"tenant_id" property in configuration must exists
This configuration parameter is missing.
Ensure that this parameter is present and has a value.
6
"tenant_id" property in configuration must be a string
This configuration parameter expects a string value, but it has parsed a different type of value.
Ensure that the value for this parameter is a string.
7
"client_id" property in configuration must exists
This configuration parameter is missing.
Ensure that this parameter is present and has a value.
8
"client_id" property in configuration must be a string
This configuration parameter expects a string value, but it has parsed a different type of value.
Ensure that the value for this parameter is a string.
9
"client_secret" property in configuration must exists
This configuration parameter is missing.
Ensure that this parameter is present and has a value.
10
"client_secret" property in configuration must be a string
This configuration parameter expects a string value, but it has parsed a different type of value.
Ensure that the value for this parameter is a string.
ServiceConfigurationError
1
"{service_name}" mandatory property is missing or empty
This configuration parameter is missing.
Ensure that this parameter is present and has a value.
ServiceConfigurationError
2
"{service_name}" property must be a dictionary
This configuration parameter expects a JSON object value, but it has parsed a different type of value.
Ensure that the value for this parameter is a JSON object.
MicrosoftGraphPullerCreationException
27
"tag" property in configuration must be a string
This configuration parameter expects a string value, but it has parsed a different type of value.
Ensure that the value for this parameter is a string.
36
"start_time" property in service definition must be a string
This configuration parameter expects a string value, but it has parsed a different type of value.
Ensure that the value for this parameter is a string.
37
"start_time" property from configuration file format is not valid, expected: "{start_time_regex}"
This configuration parameter expects a date that matches the indicated regular expression, but it did not match.
Ensure that the value for this parameter is a valid date according to the indicated regular expression.
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Verify collector operations
Initialization
The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.
A successful run has the following output messages for the initializer module:
INFO MainProcess::MainThread -> Added "[collector_dir]" directory to the Python path
INFO MainProcess::MainThread -> Added "[collector_dir]/config_internal" directory to the Python path
INFO MainProcess::MainThread -> {"production_mode": false, "python_version": "3.9.12 (main, Apr 6 2022, 10:19:29) \n[Clang 12.0.5 (clang-1205.0.22.9)]", "current_directory": "[collector_dir]", "exists_config_dir": true, "exists_config_internal_dir": true, "exists_certs_dir": true, "exists_credentials_dir": true}
INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
INFO MainProcess::MainThread -> "/etc/devo/job" does not exists
INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
INFO MainProcess::MainThread -> "/etc/devo/collector" does not exists
INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "[collector_dir]/config/config-test-local.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
INFO MainProcess::MainThread -> {"build_time": "UNKNOWN", "os_info": "macOS-12.5.1-x86_64-i386-64bit", "collector_name": "microsoft_graph", "collector_version": "1.2.0", "collector_owner": "integrations_factory@devo.com", "started_at": "2022-09-01T14:57:53.453415Z"}
INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {'devo_1': {'type': 'devo_platform', 'config': {'address': 'collector-us.devo.io', 'port': 443, 'type': 'SSL', 'chain': 'chain.cer', 'cert': 'cert.cer', 'key': 'key.key', 'concurrent_connections': 1, 'period_sender_stats_in_seconds': 300, 'activate_final_queue': False, 'threshold_for_using_gzip_in_transport_layer': 1.1, 'compression_level': 6, 'compression_buffer_in_bytes': 51200, 'generate_metrics': False}}}
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)
INFO InputProcess::MainThread -> Process Started
INFO OutputProcess::MainThread -> Process started
INFO OutputProcess::MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
INFO OutputProcess::MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
INFO OutputProcess::MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread
INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread
INFO OutputProcess::MainThread -> [GC] global: 67.8% -> 67.8%, process: RSS(38.10MiB -> 38.16MiB), VMS(32.82GiB -> 32.82GiB)
INFO InputProcess::MainThread -> InputThread(microsoft_graph,1) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> ServiceThread(microsoft_graph,1,secure_score_control_profile,predefined) - Starting thread (execution_period=600s)
INFO InputProcess::MainThread -> MicrosoftGraphPullerSetup(unknown,microsoft_graph#1,secure_score_control_profile#predefined) -> Starting thread
INFO InputProcess::MainThread -> MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) - Starting thread
WARNING InputProcess::MicrosoftGraphNonTimeBasedPuller(microsoft_graph,1,secure_score_control_profile,predefined) -> Waiting until setup will be executed
INFO InputProcess::MainThread -> [GC] global: 67.8% -> 67.8%, process: RSS(38.35MiB -> 38.35MiB), VMS(32.70GiB -> 32.70GiB)
INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"group_name": "internal_senders", "instance_name": "devo_sender_0", "url": "collector-us.devo.io:443", "chain_path": "[collector_dir]/certs/chain.cer", "cert_path": "[collector_dir]/certs/cert.cer", "key_path": "[collector_dir]/certs/key.key", "transport_layer_type": "SSL"}, hostname: "2019EMEA0386.local", session_id: "4532931840"
Events delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.
A successful run has the following output messages for the initializer module:
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since "2022-06-28 10:39:22.516313+00:00": 1 (elapsed 0.019 seconds)
By default, these information traces will be displayed every 10 minutes.
Sender services
The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:
Sender services
Description
internal_senders
In charge of delivering internal metrics to Devo such as logging traces or metrics.
standard_senders
In charge of delivering pulled events to Devo.
Sender statistics
Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace
Description
Number of available senders: 1
Displays the number of concurrent senders available for the given Sender Service.
sender manager internal queue size: 0
Displays the items available in the internal sender queue.
This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.
Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)
Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:
44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.
By default these traces will be shown every 10 minutes.
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using
Enable/disable the logging debug mode
Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.
To enable this option you just need to edit the configuration and change the debug parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration and change the debug parameter from true to false and restart the collector.
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.
Change log for v1.x.x
Release
Released on
Release type
Details
Recommendations
v1.2.0
NEW FEATURE IMPROVEMENT
New features:
New supported sources
Sign In (signIn service)
Audit (audit service)
Provisioning (provisioning service)
Previous services modification
The new tagging introduced in the previous v1.1.3 release is now customizable through the tag_version service parameter. The default tagging has been reverted to the original one.
The alerts source, when setting the tag_version to v2, will try to categorize the events by applying different tags based on the event’s provider.
Improvements:
Token validation is now performed against the corresponding endpoint.