[cloudflare_logpush] Initial Release for the Cloudflare Logpush #3643
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
vinit-chauhan
added
enhancement
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
|
Why a separate integration instead of just adding the new datastreams/inputs to the original one? |
vinit-chauhan
changed the title
Hey @legoguy1000 - we explored the possibility of adding Logpush to your Logpull integration, but there are several event types that are only supported by Log Push and it would be tricky to align content such as dashboards within a single integration. We're going to update the Log Pull integration to make it clearer that the integration is based on Logpull. |
|
I get the issue with the additional datasets though perhaps since the only 2 datasets in the original cloudflare integration are http and audit logs. My thought is add the httpjson inputs to the new audit and http event data streams and then deprecate the original integration. That way u may not have a conflict and u only have to maintain a single integration/pipelines/dashboards.... going forward. |
|
bump! |
|
@vinit-elastic it would be useful to know a benchmark on the number of events that can be pumped to ES per second (EPS) with this input (say on a single node cluster). Would you be able to run a test check the performance ? |
packages/cloudflare_logpush/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
|
Hey @r00tu53r Elastic-Agent is running on one machine, Elasticsearch and Kibana on another machine. Configuration of the machine in which Elastic-agent is running: When no of the workers are set to 5 (Default), then: When no of the workers are set to 100, then: |
|
@vinit-elastic Logpush delivers logs in less than one minute with batches of no more than 100,000 records per file. Based on the ingestion rate of 440 EPS with 100 quarters, that only gets us to ~25% of what Cloudflare could send in a minute. Do we know if there's additional workers we can add or other variables configuration to ensure we can support that rate of ingestion? |
|
Hey @jamiehynds - The low ingestion rate may be due to the hardware configuration. Moreover, we have kept the number of workers as a configurable parameter so that if the data rate is huge for some users, they can tweak the number per the requirement. |
|
This looks awesome! Is there any chance support for the |
packages/cloudflare_logpush/data_stream/audit/agent/stream/http_endpoint.yml.hbs
Show resolved
Hide resolved
|
|
||
| ### Audit Logs | ||
|
|
||
| - Default port for HTTP Endpoint: _9560_ |
There was a problem hiding this comment.
I don't like that we require more than one port to be exposed to the Internet. I've opened a proposal issue to discuss a possible solution in elastic/beats#32578.
| @@ -0,0 +1,26 @@ | |||
| bucket_arn: {{bucket_arn}} | |||
There was a problem hiding this comment.
It seems like the integration should be capable of using SQS notification and S3 polling. Could we create two separate input configurations like aws-s3-polling.yml.hbs and aws-s3-sqs.yml.hbs? If they are separate I think that would be easier to maintain and to configure.
There was a problem hiding this comment.
I see that you combined everything into one file, did my recommendation to use aws-s3-polling.yml.hbs and aws-s3-sqs.yml.hbs not work? What problems did you encounter?
There was a problem hiding this comment.
We started with keeping a separate file for S3 Polling and SQS ( aws-s3-polling.yml.hbs and aws-s3-sqs.yml.hbs ). However, while doing so, we observed the following behavior.
Though the hbs files were different, the input type was the same input: aws-s3. So, the toggle for both S3 Pooling and S3 SQS was not working properly. So, whenever a user changes the state of one toggle to collect data for only one of the input types, either S3 Pooling or S3 SQS, other one starts automatically. That's the reason why we kept the combined everything into one file.
Moreover, to avoid confusion we've added an indicator in the description of both (S3-Pooling ->[S3] and S3-SQS ->[SQS]) to make it more user-friendly. Now, the users only need to enable the toggle button (Collect logs via S3 Bucket) in order to collect the logs through S3-Polling input and disable it for SQS.
|
/test |
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
vinit-chauhan
force-pushed
the
package_cloudflare_logpush
branch
from
1918aa4
to
2714950
Compare
|
|
||
| ## Overview | ||
|
|
||
| The [Cloudflare Logpush](https://www.cloudflare.com/) integration allows you to monitor Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event Logs. Cloudflare is content delivery network and DDoS mitigation company. Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable. Secure your websites, APIs, and Internet applications. Protect corporate networks, employees, and devices. Write and deploy code that runs on the network edge. |
There was a problem hiding this comment.
| The [Cloudflare Logpush](https://www.cloudflare.com/) integration allows you to monitor Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event Logs. Cloudflare is content delivery network and DDoS mitigation company. Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable. Secure your websites, APIs, and Internet applications. Protect corporate networks, employees, and devices. Write and deploy code that runs on the network edge. | |
| The [Cloudflare Logpush](https://www.cloudflare.com/) integration allows you to monitor Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event Logs. Cloudflare is a content delivery network and DDoS mitigation company. Cloudflare provides a network designed to make everything you connect to the Internet secure, private, fast, and reliable; secure your websites, APIs, and Internet applications; protect corporate networks, employees, and devices; and write and deploy code that runs on the network edge. |
| The Cloudflare Logpush integration can be used in three different modes to collect data: | ||
| - HTTP Endpoint mode - Cloudflare pushes logs directly to an HTTP endpoint hosted by your Elastic Agent | ||
| - AWS S3 polling mode - Cloudflare writes data to S3 and Elastic Agent polls the S3 bucket by listing its contents and reading new files | ||
| - AWS S3 SQS mode - Cloudflare writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode. | ||
|
|
There was a problem hiding this comment.
| The Cloudflare Logpush integration can be used in three different modes to collect data: | |
| - HTTP Endpoint mode - Cloudflare pushes logs directly to an HTTP endpoint hosted by your Elastic Agent | |
| - AWS S3 polling mode - Cloudflare writes data to S3 and Elastic Agent polls the S3 bucket by listing its contents and reading new files | |
| - AWS S3 SQS mode - Cloudflare writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode. | |
| The Cloudflare Logpush integration can be used in three different modes to collect data: | |
| - HTTP Endpoint mode - Cloudflare pushes logs directly to an HTTP endpoint hosted by your Elastic Agent. | |
| - AWS S3 polling mode - Cloudflare writes data to S3 and Elastic Agent polls the S3 bucket by listing its contents and reading new files. | |
| - AWS S3 SQS mode - Cloudflare writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode. |
| - AWS S3 SQS mode - Cloudflare writes data to S3, S3 pushes a new object notification to SQS, Elastic Agent receives the notification from SQS, and then reads the S3 object. Multiple Agents can be used in this mode. | ||
|
|
||
|
|
||
| For example, you could use the data from this integration to know about which websites have the highest traffic, which areas have the highest network traffic, or mitigation statistics. |
There was a problem hiding this comment.
| For example, you could use the data from this integration to know about which websites have the highest traffic, which areas have the highest network traffic, or mitigation statistics. | |
| For example, you could use the data from this integration to know which websites have the highest traffic, which areas have the highest network traffic, or observe mitigation statistics. |
|
|
||
| ## Data streams | ||
|
|
||
| The Cloudflare Logpush integration collects logs for seven types of events: Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event. |
There was a problem hiding this comment.
| The Cloudflare Logpush integration collects logs for seven types of events: Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics and Spectrum Event. | |
| The Cloudflare Logpush integration collects logs for seven types of events: Audit, DNS, Firewall Event, HTTP Request, NEL Report, Network Analytics, and Spectrum Event. |
| value: [authentication] | ||
| - date: | ||
| field: json.When | ||
| if: ctx.json?.When != null && ctx.json?.When != '' |
There was a problem hiding this comment.
| if: ctx.json?.When != null && ctx.json?.When != '' | |
| if: ctx.json?.When != null && ctx.json.When != '' |
| ignore_failure: true | ||
| - date: | ||
| field: json.ConnectTimestamp | ||
| if: ctx.json?.ConnectTimestamp != null && ctx.json?.ConnectTimestamp != '' |
There was a problem hiding this comment.
| if: ctx.json?.ConnectTimestamp != null && ctx.json?.ConnectTimestamp != '' | |
| if: ctx.json?.ConnectTimestamp != null && ctx.json.ConnectTimestamp != '' |
| value: '{{{_ingest.on_failure_message}}}' | ||
| - date: | ||
| field: json.DisconnectTimestamp | ||
| if: ctx.json?.DisconnectTimestamp != null && ctx.json?.DisconnectTimestamp != '' |
There was a problem hiding this comment.
| if: ctx.json?.DisconnectTimestamp != null && ctx.json?.DisconnectTimestamp != '' | |
| if: ctx.json?.DisconnectTimestamp != null && ctx.json.DisconnectTimestamp != '' |
| "time": "2022-05-26T09:24:00.000Z" | ||
| }, | ||
| "disconnect": { | ||
| "time": "1970-01-01T00:00:00.000Z" |
There was a problem hiding this comment.
This looks like an empty value has been used. I can see that it's like that in the event.original, but is that real?
There was a problem hiding this comment.
Yes, We got this value in the actual response from Cloudflare itself.
| - yyyy-MM-dd'T'HH:mm:ss.SSSZ | ||
| - UNIX_MS | ||
| timezone: UTC | ||
| target_field: cloudflare_logpush.spectrum_event.connect.time |
There was a problem hiding this comment.
Maybe also set event.start from this.
| - yyyy-MM-dd'T'HH:mm:ss.SSSZ | ||
| - UNIX_MS | ||
| timezone: UTC | ||
| target_field: cloudflare_logpush.spectrum_event.disconnect.time |
What does this PR do?
Checklist
changelog.ymlfile.manifest.ymlfile to point to the latest Elastic stack release (e.g.^7.17.0 || ^8.0.0).How to test this PR locally
Related issues
Screenshots