Kafka feature 3105 v5 #4096
Kafka feature 3105 v5 #4096
Conversation
This changeset ensures the kafka output ability for eve. - A new output method convenient for data analysis. - Configure with --enable-rdkafka option when you need outpout eve with kafka. - Update eve kafka output conf doc
|
Doc looks fine to me, a bit more explanation for new users might be helpful |
|
This is really awesome!! Is there anything blocking this merge? |
|
| gethostname(hostname, 1023); | ||
| json_ctx->file_ctx->sensor_name = SCStrdup(hostname); | ||
| } | ||
| if (json_ctx->file_ctx->sensor_name == NULL) { |
There was a problem hiding this comment.
nit: 2 blanks between sensor_name and ==
| int error_code, | ||
| void *opaque, void *msg_opaque) | ||
| { | ||
| rk = rk; |
There was a problem hiding this comment.
lhs = rhs ... what's this for? L108-L112
| rd_kafka_topic_conf_t *topic_conf; | ||
| char tmp[16]; | ||
| char errstr[512]; | ||
| kafka_ctx = (SCLogKafkaContext*) SCCalloc(1, sizeof(SCLogKafkaContext)); |
There was a problem hiding this comment.
Make sure kafka_ctx is freed on error paths/early exits.
| exit(EXIT_FAILURE); | ||
| } | ||
|
|
||
| conf = rd_kafka_conf_new(); |
There was a problem hiding this comment.
Make sure you free conf with rd_kafka_topic_conf_destroy on error paths/early exits.
| @@ -0,0 +1,203 @@ | |||
| /* Copyright (C) 2007-2019 Open Information Security Foundation | |||
There was a problem hiding this comment.
Nit: change date to just 2019
| #include "util-log-kafka.h" | ||
| #include "util-logopenfile.h" | ||
|
|
||
| #ifdef HAVE_LIBRDKAFKA |
There was a problem hiding this comment.
IMO, this guard should be moved prior to the first #include statement.
| if (!log_ctx->sensor_name) { | ||
| char hostname[1024]; | ||
| gethostname(hostname, 1023); | ||
| log_ctx->sensor_name = SCStrdup(hostname); |
There was a problem hiding this comment.
Where will sensor_name be freed if SCConfLogOpenKafka fails?
|
Please submit a new PR with the requested updated, thanks! |
|
Btw @dbcfd how do you feel about this? Asking because of your https://github.com/dbcfd/surikafka project. @CosmosSun why do you think this should be a part of Suricata itself instead of using something like https://github.com/dbcfd/surikafka ? |
|
|
My general feeling is that suricata should focus on using file and UDS for output, to reduce maintenance cost associated with other output types (e.g. kafka and redis). Continuing to add additional output types increases maintenance cost for features that may see limited use, and can be achieved by using a unix pipe like approach, where the output handler is external to suricata. This also allows the output handler to have a different release cycle, to address possible bugs, library upgrades, etc. I feel even stronger about this with kafka, due to its significant configuration and failure modes. Kafka is more likely to introduce performance impacts than redis, especially if it is configured as a blocking, don't drop events mode with an ack level for broker and replicates. |
Sleep 250 microseconds instead of 100 as running in KVM cause the old value to use 100% CPU for these threads. Perf testing suggests no measurable impact for the non-KVM case. Ticket: OISF#4096
Sleep 250 microseconds instead of 100 as running in KVM cause the old value to use 100% CPU for these threads. Perf testing suggests no measurable impact for the non-KVM case. Ticket: OISF#4096
|
You should use rd_kafka_poll after each call to rd_kafka_produce, or call rd_kafka_poll regularly, otherwise the VmRSS of the process will continue to grow, causing memory leaks: `int LogFileWriteKafka(void *lf_ctx, const char *string, size_t string_len) }` |
|
@zhouhanAC please report bugs in our issue tracker instead of very old and closed PRs, thanks! |
This changeset ensures the kafka output ability for eve.
Continuation of #4093.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3105
Describe changes:
PRScript output (if applicable):