Added: release/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html ============================================================================== --- release/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html (added) +++ release/metron/0.4.0/site-book/metron-sensors/bro-plugin-kafka/index.html Wed Jul 5 06:56:42 2017 @@ -0,0 +1,491 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-06-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170627" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – Logging Bro Output to Kafka</title> + <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../../css/site.css" /> + <link rel="stylesheet" href="../../css/print.css" media="print" /> + + + <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/"; id="bannerLeft"> + <img src="../../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org"; class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/"; class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">Logging Bro Output to Kafka</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-06-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-right"></i> + Deployment</a> + </li> + + <li> + + <a href="../../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li> + + <a href="../../metron-sensors/index.html" title="Sensors"> + <i class="icon-chevron-down"></i> + Sensors</a> + <ul class="nav nav-list"> + + <li class="active"> + + <a href="#"><i class="none"></i>Bro-plugin-kafka</a> + </li> + + <li> + + <a href="../../metron-sensors/fastcapa/index.html" title="Fastcapa"> + <i class="none"></i> + Fastcapa</a> + </li> + + <li> + + <a href="../../metron-sensors/pycapa/index.html" title="Pycapa"> + <i class="none"></i> + Pycapa</a> + </li> + </ul> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/"; title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <h1>Logging Bro Output to Kafka</h1> +<p>A Bro log writer that sends logging output to Kafka. This provides a convenient means for tools in the Hadoop ecosystem, such as Storm, Spark, and others, to process the data generated by Bro.</p> +<div class="section"> +<h2><a name="Installation"></a>Installation</h2> + +<ol style="list-style-type: decimal"> + +<li> +<p>Install <a class="externalLink" href="https://github.com/edenhill/librdkafka";>librdkafka</a>, a native client library for Kafka. This plugin has been tested against the latest release of librdkafka, which at the time of this writing is v0.9.4.</p> +<p>In order to use this plugin within a kerberized Kafka environment, you will also need <tt>libsasl2</tt> installed and will need to pass <tt>--enable-sasl</tt> to the <tt>configure</tt> script.</p> + +<div class="source"> +<div class="source"> +<pre>curl -L https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz | tar xvz +cd librdkafka-0.9.4/ +./configure --enable-sasl +make +sudo make install +</pre></div></div></li> + +<li> +<p>Build the plugin using the following commands.</p> + +<div class="source"> +<div class="source"> +<pre>./configure --bro-dist=$BRO_SRC +make +sudo make install +</pre></div></div></li> + +<li> +<p>Run the following command to ensure that the plugin was installed successfully.</p> + +<div class="source"> +<div class="source"> +<pre>$ bro -N Bro::Kafka +Bro::Kafka - Writes logs to Kafka (dynamic, version 0.1) +</pre></div></div></li> +</ol></div> +<div class="section"> +<h2><a name="Activation"></a>Activation</h2> +<p>The following examples highlight different ways that the plugin can be used. Simply add the Bro script language to your <tt>local.bro</tt> file (for example, <tt>/usr/share/bro/site/local.bro</tt>) as shown to demonstrate the example.</p> +<div class="section"> +<h3><a name="Example_1"></a>Example 1</h3> +<p>The goal in this example is to send all HTTP and DNS records to a Kafka topic named <tt>bro</tt>. </p> + +<ul> + +<li>Any configuration value accepted by librdkafka can be added to the <tt>kafka_conf</tt> configuration table.</li> + +<li>By defining <tt>topic_name</tt> all records will be sent to the same Kafka topic.</li> + +<li>Defining <tt>logs_to_send</tt> will ensure that only HTTP and DNS records are sent.</li> +</ul> + +<div class="source"> +<div class="source"> +<pre>@load Bro/Kafka/logs-to-kafka.bro +redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG); +redef Kafka::topic_name = "bro"; +redef Kafka::kafka_conf = table( + ["metadata.broker.list"] = "localhost:9092" +); +</pre></div></div></div> +<div class="section"> +<h3><a name="Example_2"></a>Example 2</h3> +<p>It is also possible to send each log stream to a uniquely named topic. The goal in this example is to send all HTTP records to a Kafka topic named <tt>http</tt> and all DNS records to a separate Kafka topic named <tt>dns</tt>.</p> + +<ul> + +<li>The <tt>topic_name</tt> value must be set to an empty string.</li> + +<li>The <tt>$path</tt> value of Bro’s Log Writer mechanism is used to define the topic name.</li> + +<li>Any configuration value accepted by librdkafka can be added to the <tt>$config</tt> configuration table.</li> + +<li>Each log writer accepts a separate configuration table.</li> +</ul> + +<div class="source"> +<div class="source"> +<pre>@load Bro/Kafka/logs-to-kafka.bro +redef Kafka::topic_name = ""; +redef Kafka::tag_json = T; + +event bro_init() +{ + # handles HTTP + local http_filter: Log::Filter = [ + $name = "kafka-http", + $writer = Log::WRITER_KAFKAWRITER, + $config = table( + ["metadata.broker.list"] = "localhost:9092" + ), + $path = "http" + ]; + Log::add_filter(HTTP::LOG, http_filter); + + # handles DNS + local dns_filter: Log::Filter = [ + $name = "kafka-dns", + $writer = Log::WRITER_KAFKAWRITER, + $config = table( + ["metadata.broker.list"] = "localhost:9092" + ), + $path = "dns" + ]; + Log::add_filter(DNS::LOG, dns_filter); +} +</pre></div></div></div> +<div class="section"> +<h3><a name="Example_3"></a>Example 3</h3> +<p>You may want to configure bro to filter log messages with certain characteristics from being sent to your kafka topics. For instance, Metron currently doesn’t support IPv6 source or destination IPs in the default enrichments, so it may be helpful to filter those log messages from being sent to kafka (although there are <a href="#notes">multiple ways</a> to approach this). In this example we will do that that, and are assuming a somewhat standard bro kafka plugin configuration, such that:</p> + +<ul> + +<li>All bro logs are sent to the <tt>bro</tt> topic, by configuring <tt>Kafka::topic_name</tt>.</li> + +<li>Each JSON message is tagged with the appropriate log type (such as <tt>http</tt>, <tt>dns</tt>, or <tt>conn</tt>), by setting <tt>tag_json</tt> to true.</li> + +<li>If the log message contains a 128 byte long source or destination IP address, the log is not sent to kafka.</li> +</ul> + +<div class="source"> +<div class="source"> +<pre>@load Bro/Kafka/logs-to-kafka.bro +redef Kafka::topic_name = "bro"; +redef Kafka::tag_json = T; + +event bro_init() &priority=-5 +{ + # handles HTTP + Log::add_filter(HTTP::LOG, [ + $name = "kafka-http", + $writer = Log::WRITER_KAFKAWRITER, + $pred(rec: HTTP::Info) = { return ! (( |rec$id$orig_h| == 128 || |rec$id$resp_h| == 128 )); }, + $config = table( + ["metadata.broker.list"] = "localhost:9092" + ) + ]); + + # handles DNS + Log::add_filter(DNS::LOG, [ + $name = "kafka-dns", + $writer = Log::WRITER_KAFKAWRITER, + $pred(rec: DNS::Info) = { return ! (( |rec$id$orig_h| == 128 || |rec$id$resp_h| == 128 )); }, + $config = table( + ["metadata.broker.list"] = "localhost:9092" + ) + ]); + + # handles Conn + Log::add_filter(Conn::LOG, [ + $name = "kafka-conn", + $writer = Log::WRITER_KAFKAWRITER, + $pred(rec: Conn::Info) = { return ! (( |rec$id$orig_h| == 128 || |rec$id$resp_h| == 128 )); }, + $config = table( + ["metadata.broker.list"] = "localhost:9092" + ) + ]); +} +</pre></div></div> +<div class="section"> +<h4><a name="Notes"></a>Notes</h4> + +<ul> + +<li><tt>logs_to_send</tt> is mutually exclusive with <tt>$pred</tt>, thus for each log you want to set <tt>$pred</tt> on, you must individually setup a <tt>Log::add_filter</tt> and refrain from including that log in <tt>logs_to_send</tt>.</li> + +<li>You can also filter IPv6 logs from within your Metron cluster <a href="../../metron-platform/metron-common/index.html#IS_IP">using Stellar</a>. In that case, you wouldn’t apply a predicate in your bro configuration, and instead Stellar would filter the logs out before they were processed by the enrichment layer of Metron.</li> + +<li>It is also possible to use the <tt>is_v6_subnet()</tt> bro function in your predicate, as of their <a class="externalLink" href="https://www.bro.org/sphinx-git/install/release-notes.html#bro-2-5";>2.5 release</a>, however the above example should work on <a class="externalLink" href="https://www.bro.org/sphinx-git/install/release-notes.html#bro-2-4";>bro 2.4</a> and newer, which has been the focus of the kafka plugin.</li> +</ul></div></div></div> +<div class="section"> +<h2><a name="Settings"></a>Settings</h2> +<div class="section"> +<h3><a name="kafka_conf"></a><tt>kafka_conf</tt></h3> +<p>The global configuration settings for Kafka. These values are passed through directly to librdkafka. Any valid librdkafka settings can be defined in this table. The full set of valid librdkafka settings are available <a class="externalLink" href="https://github.com/edenhill/librdkafka/blob/v0.9.4/CONFIGURATION.md";>here</a>.</p> + +<div class="source"> +<div class="source"> +<pre>redef Kafka::kafka_conf = table( + ["metadata.broker.list"] = "localhost:9092", + ["client.id"] = "bro" +); +</pre></div></div></div> +<div class="section"> +<h3><a name="topic_name"></a><tt>topic_name</tt></h3> +<p>The name of the topic in Kafka where all Bro logs will be sent to.</p> + +<div class="source"> +<div class="source"> +<pre>redef Kafka::topic_name = "bro"; +</pre></div></div></div> +<div class="section"> +<h3><a name="max_wait_on_shutdown"></a><tt>max_wait_on_shutdown</tt></h3> +<p>The maximum number of milliseconds that the plugin will wait for any backlog of queued messages to be sent to Kafka before forced shutdown.</p> + +<div class="source"> +<div class="source"> +<pre>redef Kafka::max_wait_on_shutdown = 3000; +</pre></div></div></div> +<div class="section"> +<h3><a name="tag_json"></a><tt>tag_json</tt></h3> +<p>If true, a log stream identifier is appended to each JSON-formatted message. For example, a Conn::LOG message will look like <tt>{ 'conn' : { ... }}</tt>.</p> + +<div class="source"> +<div class="source"> +<pre>redef Kafka::tag_json = T; +</pre></div></div></div> +<div class="section"> +<h3><a name="debug"></a><tt>debug</tt></h3> +<p>A comma separated list of debug contexts in librdkafka which you want to enable. The available contexts are:</p> + +<ul> + +<li>generic</li> + +<li>broker</li> + +<li>topic</li> + +<li>metadata</li> + +<li>queue</li> + +<li>msg</li> + +<li>protocol</li> + +<li>cgrp</li> + +<li>security</li> + +<li>fetch</li> + +<li>feature</li> + +<li>all</li> +</ul></div></div> +<div class="section"> +<h2><a name="Kerberos"></a>Kerberos</h2> +<p>This plugin supports producing messages from a kerberized kafka. There are a couple of prerequisites and a couple of settings to set. </p> +<div class="section"> +<h3><a name="SASL"></a>SASL</h3> +<p>If you are using SASL as a security protocol for kafka, then you must have libsasl or libsasl2 installed. You can tell if sasl is enabled by running the following from the directory in which you have build librdkafka:</p> + +<div class="source"> +<div class="source"> +<pre>examples/rdkafka_example -X builtin.features +builtin.features = gzip,snappy,ssl,sasl,regex +</pre></div></div></div> +<div class="section"> +<h3><a name="Producer_Config"></a>Producer Config</h3> +<p>As stated above, you can configure the producer kafka configs in <tt>${BRO_HOME}/share/bro/site/local.bro</tt>. There are a few configs necessary to set, which are described <a class="externalLink" href="https://github.com/edenhill/librdkafka/wiki/Using-SASL-with-librdkafka";>here</a>. For an environment where the following is true:</p> + +<ul> + +<li>The broker is <tt>node1:6667</tt></li> + +<li>This kafka is using <tt>SASL_PLAINTEXT</tt> as the security protocol</li> + +<li>The keytab used is the <tt>metron</tt> keytab</li> + +<li>The service principal for <tt>metron</tt> is <tt>met...@example.com</tt></li> +</ul> +<p>The kafka topic <tt>bro</tt> has been given permission for the <tt>metron</tt> user to write:</p> + +<div class="source"> +<div class="source"> +<pre># login using the metron user +kinit -kt /etc/security/keytabs/metron.headless.keytab met...@example.com +${KAFKA_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=node1:2181 --add --allow-principal User:metron --topic bro +</pre></div></div> +<p>The following is how the <tt>${BRO_HOME}/share/bro/site/local.bro</tt> looks:</p> + +<div class="source"> +<div class="source"> +<pre>@load Bro/Kafka/logs-to-kafka.bro +redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG); +redef Kafka::topic_name = "bro"; +redef Kafka::tag_json = T; +redef Kafka::kafka_conf = table( ["metadata.broker.list"] = "node1:6667" + , ["security.protocol"] = "SASL_PLAINTEXT" + , ["sasl.kerberos.keytab"] = "/etc/security/keytabs/metron.headless.keytab" + , ["sasl.kerberos.principal"] = "met...@example.com" + ); +</pre></div></div></div></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017 + <a href="https://www.apache.org";>The Apache Software Foundation</a>. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html>
Added: release/metron/0.4.0/site-book/metron-sensors/fastcapa/index.html ============================================================================== --- release/metron/0.4.0/site-book/metron-sensors/fastcapa/index.html (added) +++ release/metron/0.4.0/site-book/metron-sensors/fastcapa/index.html Wed Jul 5 06:56:42 2017 @@ -0,0 +1,1057 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-06-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170627" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – Fastcapa</title> + <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../../css/site.css" /> + <link rel="stylesheet" href="../../css/print.css" media="print" /> + + + <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/"; id="bannerLeft"> + <img src="../../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org"; class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/"; class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">Fastcapa</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-06-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-right"></i> + Deployment</a> + </li> + + <li> + + <a href="../../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li> + + <a href="../../metron-sensors/index.html" title="Sensors"> + <i class="icon-chevron-down"></i> + Sensors</a> + <ul class="nav nav-list"> + + <li> + + <a href="../../metron-sensors/bro-plugin-kafka/index.html" title="Bro-plugin-kafka"> + <i class="none"></i> + Bro-plugin-kafka</a> + </li> + + <li class="active"> + + <a href="#"><i class="none"></i>Fastcapa</a> + </li> + + <li> + + <a href="../../metron-sensors/pycapa/index.html" title="Pycapa"> + <i class="none"></i> + Pycapa</a> + </li> + </ul> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/"; title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <h1>Fastcapa</h1> +<p>Fastcapa is a probe that performs fast network packet capture by leveraging Linux kernel-bypass and user space networking technology. The probe will bind to a network interface, capture network packets, and send the raw packet data to Kafka. This provides a scalable mechanism for ingesting high-volumes of network packet data into a Hadoop-y cluster.</p> +<p>Fastcapa leverages the Data Plane Development Kit (<a class="externalLink" href="http://dpdk.org/";>DPDK</a>). DPDK is a set of libraries and drivers to perform fast packet processing in Linux user space. </p> + +<ul> + +<li><a href="#Quick_Start">Quick Start</a></li> + +<li><a href="#Requirements">Requirements</a></li> + +<li><a href="#Installation">Installation</a></li> + +<li><a href="#Usage">Usage</a> + +<ul> + +<li><a href="#Parameters">Parameters</a></li> + +<li><a href="#Output">Output</a></li> + +<li><a href="#Kerberos">Kerberos</a></li> + </ul></li> + +<li><a href="#How_It_Works">How It Works</a></li> + +<li><a href="#Performance">Performance</a></li> + +<li><a href="#FAQs">FAQs</a></li> +</ul> +<div class="section"> +<h2><a name="Quick_Start"></a>Quick Start</h2> +<p>The quickest way to see Fastcapa in action is to use a Virtualbox environment on your local machine. The necessary files and instructions to do this are located at <a href="../../metron-deployment/vagrant/fastcapa-test-platform/index.html"><tt>metron-deployment/vagrant/fastcapa-vagrant</tt></a>. All you need to do is execute the following.</p> + +<div class="source"> +<div class="source"> +<pre>cd metron-deployment/vagrant/fastcapa-test-platform +vagrant up +</pre></div></div> +<p>This environment sets up two nodes. One node produces network packets over a network interface. The second node uses Fastcapa to capture those packets and write them to a Kafka broker running on the first node. Basic validation is performed to ensure that Fastcapa is able to land packet data in Kafka.</p></div> +<div class="section"> +<h2><a name="Requirements"></a>Requirements</h2> +<p>The following system requirements must be met to run the Fastcapa probe.</p> + +<ul> + +<li>Linux kernel >= 2.6.34</li> + +<li>A <a class="externalLink" href="http://dpdk.org/doc/nics";>DPDK supported ethernet device; NIC</a>.</li> + +<li>Port(s) on the ethernet device that can be dedicated for exclusive use by Fastcapa</li> +</ul></div> +<div class="section"> +<h2><a name="Installation"></a>Installation</h2> +<p>The process of installing Fastcapa has a fair number of steps and involves building DPDK, loading specific kernel modules, enabling huge page memory, and binding compatible network interface cards.</p> +<div class="section"> +<h3><a name="Automated_Installation"></a>Automated Installation</h3> +<p>The best documentation is code that actually does this for you. An Ansible role that performs the entire installation procedure can be found at <a href="../../metron-deployment/roles/fastcapa/index.html"><tt>metron-deployment/roles/fastcapa</tt></a>. Use this to install Fastcapa or as a guide for manual installation. The automated installation assumes CentOS 7.1 and is directly tested against <a class="externalLink" href="https://atlas.hashicorp.com/bento/boxes/centos-7.1";>bento/centos-7.1</a>.</p></div> +<div class="section"> +<h3><a name="Manual_Installation"></a>Manual Installation</h3> +<p>The following manual installation steps assume that they are executed on CentOS 7.1. Some minor differences may result if you use a different Linux distribution.</p> + +<ul> + +<li><a href="#Enable_Transparent_Huge_Pages">Enable Transparent Huge Pages</a></li> + +<li><a href="#Install_DPDK">Install DPDK</a></li> + +<li><a href="#Install_Librdkafka">Install Librdkafka</a></li> + +<li><a href="#Install_Fastcapa">Install Fastcapa</a></li> +</ul> +<div class="section"> +<h4><a name="Enable_Transparent_Huge_Pages"></a>Enable Transparent Huge Pages</h4> +<p>The probe performs its own memory management by leveraging transparent huge pages. In Linux, Transparent Huge Pages (THP) can be enabled either dynamically or on boot. It is recommended that these be allocated on boot to increase the chance that a larger, physically contiguous chunk of memory can be allocated.</p> +<p>The size of THPs that are supported will vary based on your CPU. These typically include 2 MB and 1 GB THPs. For better performance, allocate 1 GB THPs if supported by your CPU.</p> + +<ol style="list-style-type: decimal"> + +<li> +<p>Ensure that your CPU supports 1 GB THPs. A CPU flag <tt>pdpe1gb</tt> indicates whether or not the CPU supports 1 GB THPs.</p> + +<div class="source"> +<div class="source"> +<pre>grep --color=always pdpe1gb /proc/cpuinfo | uniq +</pre></div></div></li> + +<li> +<p>Add the following boot parameters to the Linux kernel. Edit <tt>/etc/default/grub</tt> and add the additional kernel parameters to the line starting with <tt>GRUB_CMDLINE_LINUX</tt>.</p> + +<div class="source"> +<div class="source"> +<pre>GRUB_CMDLINE_LINUX=... default_hugepagesz=1G hugepagesz=1G hugepages=16 +</pre></div></div></li> + +<li> +<p>Rebuild the grub configuration then reboot. The location of the Grub configuration file will differ across Linux distributions.</p> + +<div class="source"> +<div class="source"> +<pre>cp /etc/grub2-efi.cfg /etc/grub2-efi.cfg.orig +/sbin/grub2-mkconfig -o /etc/grub2-efi.cfg +</pre></div></div></li> + +<li> +<p>Once the host has been rebooted, ensure that the THPs were successfully allocated.</p> + +<div class="source"> +<div class="source"> +<pre>$ grep HugePage /proc/meminfo +AnonHugePages: 933888 kB +HugePages_Total: 16 +HugePages_Free: 0 +HugePages_Rsvd: 0 +HugePages_Surp: 0 +</pre></div></div> +<p>The total number of huge pages that you have been allocated should be distributed fairly evenly across each NUMA node. In this example, a total of 16 were requested and 8 have been assigned on each of the 2 NUMA nodes.</p> + +<div class="source"> +<div class="source"> +<pre>$ cat /sys/devices/system/node/node*/hugepages/hugepages-1048576kB/nr_hugepages +8 +8 +</pre></div></div></li> + +<li> +<p>Once the THPs have been reserved, they need to be mounted to make them available to the probe.</p> + +<div class="source"> +<div class="source"> +<pre>cp /etc/fstab /etc/fstab.orig +mkdir -p /mnt/huge_1GB +echo "nodev /mnt/huge_1GB hugetlbfs pagesize=1GB 0 0" >> /etc/fstab +mount -fav +</pre></div></div></li> +</ol></div> +<div class="section"> +<h4><a name="Install_DPDK"></a>Install DPDK</h4> + +<ol style="list-style-type: decimal"> + +<li> +<p>Install the required dependencies.</p> + +<div class="source"> +<div class="source"> +<pre>yum -y install "@Development tools" +yum -y install pciutils net-tools glib2 glib2-devel git +yum -y install kernel kernel-devel kernel-headers +</pre></div></div></li> + +<li> +<p>Decide where DPDK will be installed.</p> + +<div class="source"> +<div class="source"> +<pre>export DPDK_HOME=/usr/local/dpdk/ +</pre></div></div></li> + +<li> +<p>Download, build and install DPDK.</p> + +<div class="source"> +<div class="source"> +<pre>wget http://fast.dpdk.org/rel/dpdk-16.11.1.tar.xz -O - | tar -xJ +cd dpdk-stable-16.11.1/ +make config install T=x86_64-native-linuxapp-gcc DESTDIR=$DPDK_HOME +</pre></div></div></li> + +<li> +<p>Find the PCI address of the ethernet device that you plan on using to capture network packets. In the following example I plan on binding <tt>enp9s0f0</tt> which has a PCI address of <tt>09:00.0</tt>.</p> + +<div class="source"> +<div class="source"> +<pre>$ lspci | grep "VIC Ethernet" +09:00.0 Ethernet controller: Cisco Systems Inc VIC Ethernet NIC (rev a2) +0a:00.0 Ethernet controller: Cisco Systems Inc VIC Ethernet NIC (rev a2) +</pre></div></div></li> + +<li> +<p>Bind the device. Replace the device name and PCI address with what is appropriate for your environment.</p> + +<div class="source"> +<div class="source"> +<pre>ifdown enp9s0f0 +modprobe uio_pci_generic +$DPDK_HOME/sbin/dpdk-devbind --bind=uio_pci_generic "09:00.0" +</pre></div></div></li> + +<li> +<p>Ensure that the device was bound. It should be shown as a ‘network device using DPDK-compatible driver.’</p> + +<div class="source"> +<div class="source"> +<pre>$ dpdk-devbind --status +Network devices using DPDK-compatible driver +============================================ +0000:09:00.0 'VIC Ethernet NIC' drv=uio_pci_generic unused=enic +Network devices using kernel driver +=================================== +0000:01:00.0 'I350 Gigabit Network Connection' if=eno1 drv=igb unused=uio_pci_generic +</pre></div></div></li> +</ol></div> +<div class="section"> +<h4><a name="Install_Librdkafka"></a>Install Librdkafka</h4> +<p>The probe has been tested with <a class="externalLink" href="https://github.com/edenhill/librdkafka/releases/tag/v0.9.4";>Librdkafka 0.9.4</a>.</p> + +<ol style="list-style-type: decimal"> + +<li> +<p>Choose an installation path. In this example, the libs will actually be installed at <tt>/usr/local/lib</tt>; note that <tt>lib</tt> is appended to the prefix.</p> + +<div class="source"> +<div class="source"> +<pre>export RDK_PREFIX=/usr/local +</pre></div></div></li> + +<li> +<p>Download, build and install.</p> + +<div class="source"> +<div class="source"> +<pre>wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O - | tar -xz +cd librdkafka-0.9.4/ +./configure --prefix=$RDK_PREFIX +make +make install +</pre></div></div></li> + +<li> +<p>Ensure that the installation location is on the search path for the runtime shared library loader.</p> + +<div class="source"> +<div class="source"> +<pre>export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$RDK_PREFIX/lib +</pre></div></div></li> +</ol></div> +<div class="section"> +<h4><a name="Install_Fastcapa"></a>Install Fastcapa</h4> + +<ol style="list-style-type: decimal"> + +<li> +<p>Set the required environment variables.</p> + +<div class="source"> +<div class="source"> +<pre>export RTE_SDK=$DPDK_HOME/share/dpdk/ +export RTE_TARGET=x86_64-native-linuxapp-gcc +export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$RDK_HOME +</pre></div></div></li> + +<li> +<p>Build Fastcapa. The resulting binary will be placed at <tt>build/app/fastcapa</tt>.</p> + +<div class="source"> +<div class="source"> +<pre>cd metron/metron-sensors/fastcapa +make +</pre></div></div></li> +</ol></div></div></div> +<div class="section"> +<h2><a name="Usage"></a>Usage</h2> +<p>Follow these steps to run Fastcapa.</p> + +<ol style="list-style-type: decimal"> + +<li> +<p>Create a configuration file that at a minimum specifies your Kafka broker. An example configuration file, <tt>conf/fastcapa.conf</tt>, is available that documents other useful parameters.</p> + +<div class="source"> +<div class="source"> +<pre>[kafka-global] +metadata.broker.list = kafka-broker1:9092 +</pre></div></div></li> + +<li> +<p>Bind the capture device. This is only needed if the device is not already bound. In this example, the device <tt>enp9s0f0</tt> with a PCI address of <tt>09:00:0</tt> is bound. Use values specific to your environment.</p> + +<div class="source"> +<div class="source"> +<pre>ifdown enp9s0f0 +modprobe uio_pci_generic +$DPDK_HOME/sbin/dpdk-devbind --bind=uio_pci_generic "09:00.0" +</pre></div></div></li> + +<li> +<p>Run Fastcapa.</p> + +<div class="source"> +<div class="source"> +<pre>fastcapa -c 0x03 --huge-dir /mnt/huge_1GB -- -p 0x01 -t pcap -c /etc/fastcapa.conf +</pre></div></div></li> + +<li> +<p>Terminate Fastcapa with <tt>SIGINT</tt> or by entering <tt>CTRL-C</tt>. The probe will cleanly shut down all of the workers and allow the backlog of packets to drain. To terminate the process without clearing the queue, send a <tt>SIGKILL</tt> or be entering <tt>killall -9 fastcapa</tt>.</p></li> +</ol> +<div class="section"> +<h3><a name="Parameters"></a>Parameters</h3> +<p>Fastcapa accepts three sets of parameters. </p> + +<ol style="list-style-type: decimal"> + +<li>Command-line parameters passed directly to DPDK’s Environmental Abstraction Layer (EAL)</li> + +<li>Command-line parameters that define how Fastcapa will interact with DPDK. These parametera are separated on the command line by a double-dash (<tt>--</tt>).</li> + +<li>A configuration file that define how Fastcapa interacts with Librdkafka.</li> +</ol> +<div class="section"> +<h4><a name="Environmental_Abstraction_Layer_Parameters"></a>Environmental Abstraction Layer Parameters</h4> +<p>The most commonly used EAL parameter involves specifying which logical CPU cores should be used for processing. This can be specified in any of the following ways.</p> + +<div class="source"> +<div class="source"> +<pre> -c COREMASK Hexadecimal bitmask of cores to run on + -l CORELIST List of cores to run on + The argument format is <c1>[-c2][,c3[-c4],...] + where c1, c2, etc are core indexes between 0 and 128 + --lcores COREMAP Map lcore set to physical cpu set + The argument format is + '<lcores[@cpus]>[<,lcores[@cpus]>...]' + lcores and cpus list are grouped by '(' and ')' + Within the group, '-' is used for range separator, + ',' is used for single number separator. + '( )' can be omitted for single element group, + '@' can be omitted if cpus and lcores have the same value +</pre></div></div> +<p>To get more information about other EAL parameters, run the following.</p> + +<div class="source"> +<div class="source"> +<pre>fastcapa -h +</pre></div></div></div> +<div class="section"> +<h4><a name="Fastcapa-Core_Parameters"></a>Fastcapa-Core Parameters</h4> + +<table border="0" class="table table-striped"> + <thead> + +<tr class="a"> + +<th>Name </th> + +<th>Command </th> + +<th>Description </th> + +<th>Default </th> + </tr> + </thead> + <tbody> + +<tr class="b"> + +<td>Port Mask </td> + +<td>-p PORT_MASK </td> + +<td>A bit mask identifying which ports to bind. </td> + +<td>0x01 </td> + </tr> + +<tr class="a"> + +<td>Burst Size </td> + +<td>-b BURST_SIZE </td> + +<td>Maximum number of packets to receive at one time. </td> + +<td>32 </td> + </tr> + +<tr class="b"> + +<td>Receive Descriptors </td> + +<td>-r NB_RX_DESC </td> + +<td>The number of descriptors for each receive queue (the size of the receive queue.) Limited by the ethernet device in use. </td> + +<td>1024 </td> + </tr> + +<tr class="a"> + +<td>Transmission Ring Size </td> + +<td>-x TX_RING_SIZE </td> + +<td>The size of each transmission ring. This must be a power of 2. </td> + +<td>2048 </td> + </tr> + +<tr class="b"> + +<td>Number Receive Queues </td> + +<td>-q NB_RX_QUEUE </td> + +<td>Number of receive queues to use for each port. Limited by the ethernet device in use. </td> + +<td>2 </td> + </tr> + +<tr class="a"> + +<td>Kafka Topic </td> + +<td>-t KAFKA_TOPIC </td> + +<td>The name of the Kafka topic. </td> + +<td>pcap </td> + </tr> + +<tr class="b"> + +<td>Configuration File </td> + +<td>-c KAFKA_CONF </td> + +<td>Path to a file containing configuration values. </td> + +<td> </td> + </tr> + +<tr class="a"> + +<td>Stats </td> + +<td>-s KAFKA_STATS </td> + +<td>Appends performance metrics in the form of JSON strings to the specified file. </td> + +<td> </td> + </tr> + </tbody> +</table> +<p>To get more information about the Fastcapa specific parameters, run the following. Note that this puts the <tt>-h</tt> after the double-dash <tt>--</tt>.</p> + +<div class="source"> +<div class="source"> +<pre>fastcapa -- -h +</pre></div></div></div> +<div class="section"> +<h4><a name="Fastcapa-Kafka_Configuration_File"></a>Fastcapa-Kafka Configuration File</h4> +<p>The path to the configuration file is specified with the <tt>-c</tt> command line argument. The file can contain any global or topic-specific, producer-focused <a class="externalLink" href="https://github.com/edenhill/librdkafka/blob/master/CONFIGURATION.md";>configuration values accepted by Librdkafka</a>. </p> +<p>The configuration file is a <tt>.ini</tt>-like Glib configuration file. The global configuration values should be placed under a <tt>[kafka-global]</tt> header and topic-specific values should be placed under <tt>[kafka-topic]</tt>.</p> +<p>A minimally viable configuration file would only need to include the Kafka broker to connect to.</p> + +<div class="source"> +<div class="source"> +<pre>[kafka-global] +metadata.broker.list = kafka-broker1:9092, kafka-broker2:9092 +</pre></div></div> +<p>The configuration parameters that are important for either basic functioning or performance tuning of Fastcapa include the following.</p> +<p>Global configuration values that should be located under the <tt>[kafka-global]</tt> header.</p> + +<table border="0" class="table table-striped"> + <thead> + +<tr class="a"> + +<th><i>Name</i> </th> + +<th><i>Description</i> </th> + +<th><i>Default</i> </th> + </tr> + </thead> + <tbody> + +<tr class="b"> + +<td>metadata.broker.list </td> + +<td>Initial list of brokers as a CSV list of broker host or host:port </td> + +<td> </td> + </tr> + +<tr class="a"> + +<td>client.id </td> + +<td>Client identifier. </td> + +<td> </td> + </tr> + +<tr class="b"> + +<td>queue.buffering.max.messages </td> + +<td>Maximum number of messages allowed on the producer queue </td> + +<td>100000 </td> + </tr> + +<tr class="a"> + +<td>queue.buffering.max.ms </td> + +<td>Maximum time, in milliseconds, for buffering data on the producer queue </td> + +<td>1000 </td> + </tr> + +<tr class="b"> + +<td>message.copy.max.bytes </td> + +<td>Maximum size for message to be copied to buffer. Messages larger than this will be passed by reference (zero-copy) at the expense of larger iovecs. </td> + +<td>65535 </td> + </tr> + +<tr class="a"> + +<td>batch.num.messages </td> + +<td>Maximum number of messages batched in one MessageSet </td> + +<td>10000 </td> + </tr> + +<tr class="b"> + +<td>statistics.interval.ms </td> + +<td>How often statistics are emitted; 0 = never </td> + +<td>0 </td> + </tr> + +<tr class="a"> + +<td>compression.codec </td> + +<td>Compression codec to use for compressing message sets; {none, gzip, snappy, lz4 } </td> + +<td>none </td> + </tr> + </tbody> +</table> +<p>Topic configuration values that should be located under the <tt>[kafka-topic]</tt> header.</p> + +<table border="0" class="table table-striped"> + <thead> + +<tr class="a"> + +<th><i>Name</i> </th> + +<th><i>Description</i> </th> + +<th><i>Default</i> </th> + </tr> + </thead> + <tbody> + +<tr class="b"> + +<td>compression.codec </td> + +<td>Compression codec to use for compressing message sets; {none, gzip, snappy, lz4 } </td> + +<td>none </td> + </tr> + +<tr class="a"> + +<td>request.required.acks </td> + +<td>How many acknowledgements the leader broker must receive from ISR brokers before responding to the request; { 0 = no ack, 1 = leader ack, -1 = all ISRs } </td> + +<td>1 </td> + </tr> + +<tr class="b"> + +<td>message.timeout.ms </td> + +<td>Local message timeout. This value is only enforced locally and limits the time a produced message waits for successful delivery. A time of 0 is infinite. </td> + +<td>300000 </td> + </tr> + +<tr class="a"> + +<td>queue.buffering.max.kbytes </td> + +<td>Maximum total message size sum allowed on the producer queue </td> + +<td> </td> + </tr> + </tbody> +</table></div></div> +<div class="section"> +<h3><a name="Output"></a>Output</h3> +<p>When running the probe some basic counters are output to stdout. Of course during normal operation these values will be much larger.</p> + +<div class="source"> +<div class="source"> +<pre> ------ in ------ --- queued --- ----- out ----- ---- drops ---- +[nic] 8 - - - +[rx] 8 0 8 0 +[tx] 8 0 8 0 +[kaf] 8 1 7 0 +</pre></div></div> + +<ul> + +<li><tt>[nic]</tt> + <tt>in</tt>: The ethernet device is reporting that it has seen 8 packets.</li> + +<li><tt>[rx]</tt> + <tt>in</tt>: The receive workers have consumed 8 packets from the device.</li> + +<li><tt>[rx]</tt> + <tt>out</tt>: The receive workers have enqueued 8 packets onto the transmission rings.</li> + +<li><tt>[rx]</tt> + <tt>drops</tt>: If the transmission rings become full it will prevent the receive workers from enqueuing additional packets. The excess packets are dropped. This value will never decrease.</li> + +<li><tt>[tx]</tt> + <tt>in</tt>: The transmission workers have consumed 8 packets.</li> + +<li><tt>[tx]</tt> + <tt>out</tt>: The transmission workers have packaged 8 packets into Kafka messages.</li> + +<li><tt>[tx]</tt> + <tt>drops</tt>: If the Kafka client library accepted fewer packets than expected. This value can increase or decrease over time as additional packets are acknowledged by the Kafka client library at a later point in time.</li> + +<li><tt>[kaf]</tt> + <tt>in</tt>: The Kafka client library has received 8 packets.</li> + +<li><tt>[kaf]</tt> + <tt>out</tt>: A total of 7 packets has successfully reached Kafka.</li> + +<li><tt>[kaf]</tt> + <tt>queued</tt>: There is 1 packet within the <tt>rdkafka</tt> queue waiting to be sent.</li> +</ul></div> +<div class="section"> +<h3><a name="Kerberos"></a>Kerberos</h3> +<p>The probe can be used in a Kerberized environment. Follow these additional steps to use Fastcapa with Kerberos. The following assumptions have been made. These may need altered to fit your environment.</p> + +<ul> + +<li>The Kafka broker is at <tt>kafka1:6667</tt></li> + +<li>Zookeeper is at <tt>zookeeper1:2181</tt></li> + +<li>The Kafka security protocol is <tt>SASL_PLAINTEXT</tt></li> + +<li>The keytab used is located at <tt>/etc/security/keytabs/metron.headless.keytab</tt></li> + +<li>The service principal is <tt>met...@example.com</tt></li> +</ul> + +<ol style="list-style-type: decimal"> + +<li> +<p>Build Librdkafka with SASL support (<tt>--enable-sasl</tt>).</p> + +<div class="source"> +<div class="source"> +<pre>wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O - | tar -xz +cd librdkafka-0.9.4/ +./configure --prefix=$RDK_PREFIX --enable-sasl +make +make install +</pre></div></div></li> + +<li> +<p>Validate Librdkafka does indeed support SASL. Run the following command and ensure that <tt>sasl</tt> is returned as a built-in feature.</p> + +<div class="source"> +<div class="source"> +<pre>$ examples/rdkafka_example -X builtin.features +builtin.features = gzip,snappy,ssl,sasl,regex +</pre></div></div> +<p>If it is not, ensure that you have <tt>libsasl</tt> or <tt>libsasl2</tt> installed. On CentOS, this can be installed with the following command.</p> + +<div class="source"> +<div class="source"> +<pre>yum install -y cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi +</pre></div></div></li> + +<li> +<p>Grant access to your Kafka topic. In this example, it is simply named <tt>pcap</tt>.</p> + +<div class="source"> +<div class="source"> +<pre>$KAFKA_HOME/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer \ + --authorizer-properties zookeeper.connect=zookeeper1:2181 \ + --add --allow-principal User:metron --topic pcap +</pre></div></div></li> + +<li> +<p>Obtain a Kerberos ticket.</p> + +<div class="source"> +<div class="source"> +<pre>kinit -kt /etc/security/keytabs/metron.headless.keytab met...@example.com +</pre></div></div></li> + +<li> +<p>Add the following additional configuration values to your Fastcapa configuration file.</p> + +<div class="source"> +<div class="source"> +<pre>security.protocol = SASL_PLAINTEXT +sasl.kerberos.keytab = /etc/security/keytabs/metron.headless.keytab +sasl.kerberos.principal = met...@example.com +</pre></div></div></li> + +<li> +<p>Now run Fastcapa as you normally would. It should have no problem landing packets in your kerberized Kafka broker.</p></li> +</ol></div></div> +<div class="section"> +<h2><a name="How_It_Works"></a>How It Works</h2> +<p>The probe leverages a poll-mode, burst-oriented mechanism to capture packets from a network interface and transmit them efficiently to a Kafka topic. Each packet is wrapped within a single Kafka message and the current timestamp, as epoch microseconds in network byte order, is attached as the message’s key.</p> +<p>The probe leverages Receive Side Scaling (RSS), a feature provided by some ethernet devices that allows processing of received data to occur across multiple processes and logical cores. It does this by running a hash function on each packet, whose value assigns the packet to one, of possibly many, receive queues. The total number and size of these receive queues are limited by the ethernet device in use. More capable ethernet devices will offer a greater number and greater sized receive queues. </p> + +<ul> + +<li>Increasing the number of receive queues allows for greater parallelization of receive side processing.</li> + +<li>Increasing the size of each receive queue can allow the probe to handle larger, temporary spikes of network packets that can often occur.</li> +</ul> +<p>A set of receive workers, each assigned to a unique logical core, are responsible for fetching packets from the receive queues. There can only be one receive worker for each receive queue. The receive workers continually poll the receive queues and attempt to fetch multiple packets on each request. The maximum number of packets fetched in one request is known as the ‘burst size’. If the receive worker actually receives ‘burst size’ packets, then it is likely that the queue is under pressure and more packets are available. In this case the worker immediately fetches another ‘burst size’ set of packets. It repeats this process up to a fixed number of times while the queue is under pressure.</p> +<p>The receive workers then enqueue the received packets into a fixed size ring buffer known as a transmit ring. There is always one transmit ring for each receive queue. A set of transmit workers then dequeue packets from the transmit rings. There can be one or more transmit workers assigned to any single transmit ring. Each transmit worker has its own unique connection to Kafka.</p> + +<ul> + +<li>Increasing the number of transmit workers allows for greater parallelization when writing data to Kafka.</li> + +<li>Increasing the size of the transmit rings allows the probe to better handle temporary interruptions and latency when writing to Kafka.</li> +</ul> +<p>After receiving the network packets from the transmit worker, the Kafka client library internally maintains its own send queue of messages. Multiple threads are then responsible for managing this queue and creating batches of messages that are sent in bulk to a Kafka broker. No control is exercised over this additional send queue and its worker threads, which can be an impediment to performance. This is an opportunity for improvement that can be addressed as follow-on work.</p></div> +<div class="section"> +<h2><a name="Performance"></a>Performance</h2> +<p>Beyond tuning the parameters previously described, the following should be carefully considered to achieve maximum performance.</p> +<div class="section"> +<h3><a name="Kafka_Partitions"></a>Kafka Partitions</h3> +<p>Parallelizing access to a topic in Kafka is achieved by defining multiple partitions. The greater the number of partitions, the more parallelizable access to that topic becomes. To achieve high throughput it is important to ensure that the Kafka topic in use has a large number of partitions, evenly distributed across each of the nodes in your Kafka cluster.</p> +<p>The specific number of partitions needed will differ for each environment, but at least 128 partitions has been shown to significantly increase performance in some environments.</p></div> +<div class="section"> +<h3><a name="Physical_Layout"></a>Physical Layout</h3> +<p>It is important to note the physical layout of the hardware when assigning worker cores to the probe. The worker cores should be on the same NUMA node or socket as the ethernet device itself. Assigning logical cores across NUMA boundaries can significantly impede performance.</p> +<p>The following commands can help identify logical cores that are located on the same NUMA node or socket as the ethernet device itself. These commands should be run when the device is still managed by the kernel itself; before binding the interface.</p> + +<div class="source"> +<div class="source"> +<pre>$ cat /sys/class/net/enp9s0f0/device/local_cpulist +0-7,16-23 +</pre></div></div> +<p>The following command can be used to better understand the physical layout of the CPU in relation to NUMA nodes.</p> + +<div class="source"> +<div class="source"> +<pre>$ lscpu +... +NUMA node0 CPU(s): 0-7,16-23 +NUMA node1 CPU(s): 8-15,24-31 +</pre></div></div> +<p>In this example <tt>enp9s0f0</tt> is located on NUMA node 0 and is local to the logical cores 0-7 and 16-23. You should choose worker cores from this list.</p></div> +<div class="section"> +<h3><a name="CPU_Isolation"></a>CPU Isolation</h3> +<p>Once you have chosen the logical cores to use that are local to the ethernet device, it also beneficial to isolate those cores so that the Linux kernel scheduler does not attempt to run tasks on them. This can be done using the <tt>isolcpus</tt> kernel boot parameter.</p> + +<div class="source"> +<div class="source"> +<pre>isolcpus=0,1,2,3,4,5,6,7 +</pre></div></div></div> +<div class="section"> +<h3><a name="Device_Limitations"></a>Device Limitations</h3> +<p>Check the output of running the probe to ensure that there are no device limitations that you are not aware of. While you may have specified 16 receive queues on the command line, your device may not support that number. This is especially true for the number of receive queues and descriptors.</p> +<p>The following example shows the output when the number of receive descriptors requested is greater than what can be supported by the device. In many cases the probe will not terminate, but will choose the maximum allowable value and continue. This behavior is specific to the underlying device driver in use.</p> + +<div class="source"> +<div class="source"> +<pre>PMD: rte_enic_pmd: Rq 0 Scatter rx mode enabled +PMD: rte_enic_pmd: Rq 0 Scatter rx mode not being used +PMD: rte_enic_pmd: Number of rx_descs too high, adjusting to maximum +PMD: rte_enic_pmd: Using 512 rx descriptors (sop 512, data 0) +PMD: rte_enic_pmd: Rq 1 Scatter rx mode enabled +PMD: rte_enic_pmd: Rq 1 Scatter rx mode not being used +PMD: rte_enic_pmd: Number of rx_descs too high, adjusting to maximum +PMD: rte_enic_pmd: Using 512 rx descriptors (sop 512, data 0) +PMD: rte_enic_pmd: TX Queues - effective number of descs:32 +PMD: rte_enic_pmd: vNIC resources used: wq 1 rq 4 cq 3 intr 0 +</pre></div></div></div> +<div class="section"> +<h3><a name="More_Information"></a>More Information</h3> +<p>More information on this topic can be found in <a class="externalLink" href="http://dpdk.org/doc/guides/linux_gsg/nic_perf_intel_platform.html";>DPDK’s Getting Started Guide</a>.</p></div></div> +<div class="section"> +<h2><a name="FAQs"></a>FAQs</h2> +<div class="section"> +<h3><a name="No_free_hugepages_reported"></a>No free hugepages reported</h3> +<p>Problem: When executing <tt>fastcapa</tt> it fails with the following error message.</p> + +<div class="source"> +<div class="source"> +<pre>EAL: No free hugepages reported in hugepages-1048576kB +PANIC in rte_eal_init(): +Cannot get hugepage information +</pre></div></div> +<p>Solution: This can occur if any process that has been allocated THPs crashes and fails to return the resources. </p> + +<ul> + +<li> +<p>Delete the THP files that are not in use.</p> + +<div class="source"> +<div class="source"> +<pre>rm -f /mnt/huge_1GB/rtemap_* +</pre></div></div></li> + +<li> +<p>If the first option does not work, re-mount the <tt>hugetlbfs</tt> file system.</p> + +<div class="source"> +<div class="source"> +<pre>umount -a -t hugetlbfs +mount -a +</pre></div></div></li> +</ul></div> +<div class="section"> +<h3><a name="No_ethernet_ports_detected"></a>No ethernet ports detected</h3> +<p>Problem: When executing <tt>fastcapa</tt> it fails with the following error message.</p> + +<div class="source"> +<div class="source"> +<pre>EAL: Error - exiting with code: 1 + Cause: No ethernet ports detected. +</pre></div></div> + +<ul> + +<li>Solution 1: The <tt>uio_pci_generic</tt> kernel module has not been loaded.</li> +</ul> + +<div class="source"> +<div class="source"> +<pre>modprobe uio_pci_generic +</pre></div></div> + +<ul> + +<li>Solution 2: Ensure that the ethernet device is bound. Re-bind if necessary.</li> +</ul> + +<div class="source"> +<div class="source"> +<pre> dpdk-devbind --unbind "09:00.0" + dpdk-devbind --bind=uio_pci_generic "09:00.0" + dpdk-devbind --status +</pre></div></div></div></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017 + <a href="https://www.apache.org";>The Apache Software Foundation</a>. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html> Added: release/metron/0.4.0/site-book/metron-sensors/index.html ============================================================================== --- release/metron/0.4.0/site-book/metron-sensors/index.html (added) +++ release/metron/0.4.0/site-book/metron-sensors/index.html Wed Jul 5 06:56:42 2017 @@ -0,0 +1,217 @@ +<!DOCTYPE html> +<!-- + | Generated by Apache Maven Doxia at 2017-06-27 + | Rendered using Apache Maven Fluido Skin 1.3.0 +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> + <head> + <meta charset="UTF-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /> + <meta name="Date-Revision-yyyymmdd" content="20170627" /> + <meta http-equiv="Content-Language" content="en" /> + <title>Metron – Metron Sensors</title> + <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" /> + <link rel="stylesheet" href="../css/site.css" /> + <link rel="stylesheet" href="../css/print.css" media="print" /> + + + <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script> + + + +<script type="text/javascript">$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );</script> + + </head> + <body class="topBarDisabled"> + + + + + <div class="container-fluid"> + <div id="banner"> + <div class="pull-left"> + <a href="http://metron.apache.org/"; id="bannerLeft"> + <img src="../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/> + </a> + </div> + <div class="pull-right"> </div> + <div class="clear"><hr/></div> + </div> + + <div id="breadcrumbs"> + <ul class="breadcrumb"> + + + <li class=""> + <a href="http://www.apache.org"; class="externalLink" title="Apache"> + Apache</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="http://metron.apache.org/"; class="externalLink" title="Metron"> + Metron</a> + </li> + <li class="divider ">/</li> + <li class=""> + <a href="../index.html" title="Documentation"> + Documentation</a> + </li> + <li class="divider ">/</li> + <li class="">Metron Sensors</li> + + + + <li id="publishDate" class="pull-right">Last Published: 2017-06-27</li> <li class="divider pull-right">|</li> + <li id="projectVersion" class="pull-right">Version: 0.4.0</li> + + </ul> + </div> + + + <div class="row-fluid"> + <div id="leftColumn" class="span3"> + <div class="well sidebar-nav"> + + + <ul class="nav nav-list"> + <li class="nav-header">User Documentation</li> + + <li> + + <a href="../index.html" title="Metron"> + <i class="icon-chevron-down"></i> + Metron</a> + <ul class="nav nav-list"> + + <li> + + <a href="../Upgrading.html" title="Upgrading"> + <i class="none"></i> + Upgrading</a> + </li> + + <li> + + <a href="../metron-analytics/index.html" title="Analytics"> + <i class="icon-chevron-right"></i> + Analytics</a> + </li> + + <li> + + <a href="../metron-deployment/index.html" title="Deployment"> + <i class="icon-chevron-right"></i> + Deployment</a> + </li> + + <li> + + <a href="../metron-docker/index.html" title="Docker"> + <i class="none"></i> + Docker</a> + </li> + + <li> + + <a href="../metron-interface/metron-config/index.html" title="Config"> + <i class="none"></i> + Config</a> + </li> + + <li> + + <a href="../metron-interface/metron-rest/index.html" title="Rest"> + <i class="none"></i> + Rest</a> + </li> + + <li> + + <a href="../metron-platform/index.html" title="Platform"> + <i class="icon-chevron-right"></i> + Platform</a> + </li> + + <li class="active"> + + <a href="#"><i class="icon-chevron-down"></i>Sensors</a> + <ul class="nav nav-list"> + + <li> + + <a href="../metron-sensors/bro-plugin-kafka/index.html" title="Bro-plugin-kafka"> + <i class="none"></i> + Bro-plugin-kafka</a> + </li> + + <li> + + <a href="../metron-sensors/fastcapa/index.html" title="Fastcapa"> + <i class="none"></i> + Fastcapa</a> + </li> + + <li> + + <a href="../metron-sensors/pycapa/index.html" title="Pycapa"> + <i class="none"></i> + Pycapa</a> + </li> + </ul> + </li> + </ul> + </li> + </ul> + + + + <hr class="divider" /> + + <div id="poweredBy"> + <div class="clear"></div> + <div class="clear"></div> + <div class="clear"></div> + <a href="http://maven.apache.org/"; title="Built by Maven" class="poweredBy"> + <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" /> + </a> + </div> + </div> + </div> + + + <div id="bodyColumn" class="span9" > + + <div class="section"> +<h2><a name="Metron_Sensors"></a>Metron Sensors</h2> + +<ul> + +<li> +<p><a href="bro-plugin-kafka/index.html"><tt>bro-plugin-kafka</tt></a>: Provides integration between <a class="externalLink" href="https://www.bro.org/";>Bro</a> and Kafka. A Bro plugin that sends logging output to Kafka. This provides a convenient means for tools in the Hadoop ecosystem, such as Storm, Spark, and others to process the data generated by Bro.</p></li> + +<li> +<p><a href="fastcapa/index.html"><tt>fastcapa</tt></a>: Performs fast network packet capture by leveraging Linux kernel-bypass and user space networking technology. The probe will bind to a network interface, capture network packets, and send the raw packet data to Kafka. This provides a scalable mechanism for ingesting high-volumes of network packet data.</p></li> + +<li> +<p><a href="pycapa/index.html"><tt>pycapa</tt></a>: Performs lightweight network packet capture, retrieves network packets from Kafka, generates <tt>libpcap</tt>-compliant files, and enables integration with third-party tools like Wireshark.</p></li> +</ul></div> + </div> + </div> + </div> + + <hr/> + + <footer> + <div class="container-fluid"> + <div class="row span12">Copyright © 2017 + <a href="https://www.apache.org";>The Apache Software Foundation</a>. + All Rights Reserved. + + </div> + + + + </div> + </footer> + </body> +</html>
