Many thanks for starting off this discussion. Today in Metron we make a basic
assumption that once the data is written it stays written. All our enrichments
and modifications happen in the stream before landing in an immutable store,
and this is something we need to maintain.
However, as we start to look at integration use cases, and the idea of
providing an interactive UI to investigators using the platform we need to
capture additional data about events:
human entered data (small scale)
has this alert been seen
escalated to a case system
manually combined with other alerts
machine generated data (large scale):
restatement of threat feeds
batch analytics too expensive to fit in stream
These require some mutability to the stream. However, I would argue that we
must maintain that all mutability to Metron data is additive. Once data is
stated, we should not restate it in order to maintain integrity of the record
provided by Metron, which is a key value for security departments.
In the case of the ‘post-indexing’ data we are expecting this to be a smaller
profile than the telemetry, since it is mostly human scale. That said, we still
have challenges when reading that data. Essentially it provides a delta overlay
on the core indexed data which needs to be checked for a significant number of
operations, create in effect a join condition for many queries. The primary
query sources are going to be interactive UIs for things like alert status, for
which an HBase or search index makes a lot of sense. However, we will also need
to be able to access these efficiently in batch for things like relevancy
modelling and capturing feedback for human-in-the-loop style models. On that
basis, I would argue that something that’s easy to join to the HDFS index in
Spark is also essential. HBase would be a candidate here.
The format of the stored mutation data also needs to be considered. Since it is
likely to involve a relatively small number of modifications, and in keeping
with the principal of immutability and preservation of provenance, I would
suggest the mutations are stored as a timestamped transaction log against the
original message. We may also want a current state representation. It makes
sense to me to store the log in HBase while the current state is updated
against the original message into ES / Solr depending on your search index of
choice.
Looking at the idea of storing the log in HBase, we would have to consider
schema. I would recommend keyed by message guid, columns based versioning by
timestamp or some sort of vector clock, depending on the expected volume and
variance of changes, which I would expect to be low. Alternatively we could
look at something like the opentsdb schema, with guid and partial timestamp in
the key if we’re expecting high volumes (this seems very unlikely to me).
Another option, similar to Raghu’s sidecar files, is to borrow the architecture
of Hive updates, which is to write sidecar delta files, which are checked in
every query to the underlying file for modifications, and to periodically
compact. This makes sense but for our need for immutability. Compaction could
be done in batch to the original record file, and would only add fields in the
log form to that. We can get away with this optimisation over the Hive method,
since we are never looking to change original values, but only ‘after the
index’ values. That said, compaction is still likely to be heavy and full of
potential problems with things like stripe and block alignment for performance
(maybe there is something we can learn here from the early problems with Hive
acid if we go down that route). Personally I see this as a high risk option.
Something I would like to consider is how we abstract this from the metron UI
and other metron users. I would recommend we deliver a data services layer API
covering access to all the underlying data and controlling the immutability,
and maintenance of whatever persistence we use. I would also like to see a
Spark relation built for Metron to abstract data access on the backend of Spark
jobs which would allow us to decouple things like model building from the
underlying mechanisms and file formats.
The short version is that I would say we store a transaction log in HBase and
consider mutating the document in search.
Simon
> On 27 Mar 2017, at 10:26, Raghu Mitra Kandikonda <r...@hortonworks.com> wrote:
>
> Hi All,
>
> I would like to start a discussion around what would be the good approach to
> append data to the existing records that are processed by Metron. Here are
> few thoughts that I have to start with.
>
> 1.Store the new fields just in ES and allow records to be different in ES and
> HDFS.
> 2.Store the new fields in HBASE along with ES.
> a.We can create a new table in HBASE that stores guid + key (or any other
> unique key of the record) and the new value.
> b. The table name will be same as the file name that originally contained the
> record.
> 3. Store new fields in ES and in HDFS.
> a. The new fields will be stored in same file as the original record.
> b. The new fields are stored along with guid of the record.
> c. Any changes to the values of the fields will have a new record instead of
> modifying the existing record.
> d. To read the latest value for a record we need to parse the entire file.
> Ex: File enrichment-null-0-0-1490335748664.json has 3 records
> {“key1”: “value1, “key2”: “value2”, “key3”: “value3” , “guid” : “id1"}
> {“key1”: “value11, “key2”: “value21”, “key3”: “value31” , “guid” : “id2"}
> {“key1”: “value12, “key2”: “value22”, “key3”: “value32” , “guid” : “id3"}
> Now we have to store new field for record with guid id2 the new file looks as
> follows
> {“key1”: “value1, “key2”: “value2”, “key3”: “value3” }
> {“key1”: “value11, “key2”: “value21”, “key3”: “value31” }
> {“key1”: “value12, “key2”: “value22”, “key3”: “value32” }
> {“guid”: “id2", “newKey”: “newValue”}
> Again the value of newKey for record has been changed to newestValue the new
> file looks as follows
> {“key1”: “value1, “key2”: “value2”, “key3”: “value3” }
> {“key1”: “value11, “key2”: “value21”, “key3”: “value31” }
> {“key1”: “value12, “key2”: “value22”, “key3”: “value32” }
> {“guid”: “id2", “newKey”: “newValue”}
> {“guid”: “id2", “newKey”: “newestValue”}
> 4. Store the new fields in ES and in HDFS.
> a. The new fields will be stored in new file than the file where the record
> originally existed.
> b. The name of file will be the same as the file where the record is
> originally present but it will be in a different folder.
> c. The new fields are stored along with guid of the record.
> c. new value to an existing field or a new field would be appended to the end
> of the file instead of modifying a record.
> d. To read the latest value for a record we need to parse the entire file.
> Ex: File
> /apps/metron/indexing/indexed/snort/enrichment-null-0-0-1490335746765.json
> has following records
> {“key1”: “value1, “key2”: “value2”, “key3”: “value3” , “guid” : “id1"}
> {“key1”: “value11, “key2”: “value21”, “key3”: “value31” , “guid” : “id2"}
> {“key1”: “value12, “key2”: “value22”, “key3”: “value32” , “guid” : “id3"}
> Now we have a ’newKey’ and ’newValue’ to be stored for record with guid id2.
> The file enrichment-null-0-0-1490335748664.json will look the same but we
> will have a new file
> /apps/metron/augmented/snort/enrichment-null-0-0-1490335746765.json with the
> following content
> {“guid”: “id2", “newKey”: “newValue”}
> Again the value of newKey is changed to newestValue and there is a new key
> called newestKey the file looks as follows
> {“guid”: “id2", “newKey”: “newValue”}
> {“guid”: “id2", “newKey”: “newestValue”}
> {“guid”: “id2", “newestKey”: “nextNewestValue”}
>
> -Raghu
>
>
>
