The gen/ code is generated with a protobuf compiler and Juniper Telemetry data. How this is done should be set up in 'go:generate' or similar so it can be reproduced/updated.

Logrus has been introduced, but we need to migrate all code to it.

I think we also need a discussion/policy on how/when to log at all.

In general, I'm thinking:

1. Code should not use log.Fatal unless it's package main: it prevents trivial testing.
2. Successful code paths should not log. Exceptions can be made for important debugging, but for things like transformers, intermediary senders, etc, I'd prefer if it didn't log on OK code paths. It is a performance hit...
3. If we return error, logging should be "trace" at most - the calling code should log the error at higher log levels instead (e.g.: if HTTP sender fails, log trace, and throw error, that way, the retry sender can decide what to log).
4. If we discard actual errors: Log with at least info if it is a common setup. Preferably higher level.
5. If we handle errors (e.g.: fallback-sender), log with debug.

I think this list needs to be improved/revised as we see how the logging works in real life, but some sort of common principles are needed.

SSIA.

If a collector is implemented incorrectly it is easy to end up posting timestamp as metadata in addition to regular timestamp. While this could be allowed, it is safe to assume that this is almost always a mistake.

Therefore, the data validation should check for metadata fields named "timestamp" and throw an error. Example of issue:

{
 "metrics": [ {
    "timestamp": "2019-04-02T16:00:00Z",
    "metadata": { "device": "foo", "timestamp": "2019-04-02T16:00:00Z" },
    "data": { "something": 123123 }
  } ]
}

While test-coverage is OK-ish, older tests have not been updated to use newer methods when suitable.

Specifically, a lot of tests define data structures by hand instead of just providing a configuration-snippet, which would be both more readable and implicitly test the configurability.

Additionally, many tests have helper-functions that are semi-reusable, like verify that metadata is transformed the way we expect, or generating valid containers. This re-use is sort of messy now.

If three senders are specified, but only one is used, the user will never know. This could lead to situations where a user wants to direct data to two different locations, but accidentally directs it to the same place.

I'm thinking warning is the suitable response, possibly with an option to make it critical.

Add docs/ for logging. This mostly a follow-up of #49

Pretty sure this is killing performance.

Might also be worth it to use this as an example of how to deal with concurrency. The way we are doing it now works OK simply because we are setting up new requests all the time, but that should probably die in a fire. A better model might be to have a pool of influx-writers internally, to serialize access but not limit ourself to a single instance.

But that should be a sender in itself?

I think what makes sense right now is that the influx writer only has a single HTTP connection it will (re-)-use, and that a future Sender provides a worker-pool-like feature. That way the influx-code is nice and simple.

It will still require locking, I suppose.

The idea is to optionally enforce certain metadata fields. This can make particular sense "further down the chain" to ensure that upstream data sources follow policies and identify themself.

The same Sender should also support OPTIONAL value enforcement. That way, we can have a central Skogul enforce that data from DC1 is always tagged with DC1, but downstream, we only ensure that the "dc" tag is set at all.

While the documentation is getting to be reasonably good, the errors that the config engine reports are horrid. Need a good general-purpose approach to report errors.

If you misspell a variable name in your config, it will just be silently ignored and a default value will be used instead.

This is Bad™.

Must be fixed.

We need better logging, and #30 introduces logrus.

The log receiver needs to be updated to handle this, and should:

1. Ensure the initial read-path is quick and non-blocking. It should just read the logs and place them on a buffered channel, then move on (or similar). Code should be able to log extensively without having to worry about log performance at all. If logrus can't satisfy this, we have a problem.

2. Extract fields into metadata to as great an extent as possible.

3. Leverage transformers for filtering, but a basic log-level filter is OK. Simplicity of configuration is key: People will expect the log receiver to support filtering on log levels, so even if you can use a transformer to do that, it will be such a common use case that it should live in the receiver.

Note that this issue is NOT about introducing logrus in general, but just the logrus-capable receiver, so we can forward logs.

We also need to address suppressing log output to stdout. I don't have a clear picture of how we want to do that. But I'm thinking we want to be able to echo e.g. warnings and above to stdout, while sending everything (trace, info, debug, warn, etc) down to the handler. This will allow us to have extensive logs in a log system (splunk/database), while still getting sensible debug-output.

Logrus also makes it easier to avoid loops: We should probably set a metadatafield indicating that this has passed through the log receiver, so we don't end up in feedback loops if splunk is unresponsive. Not entirely sure how that will work, though.

Given the following diff for debug output:

diff --git a/config/parse.go b/config/parse.go
index d2665e0..5897aec 100644
--- a/config/parse.go
+++ b/config/parse.go
@@ -417,13 +417,21 @@ func findFieldsOfStruct(T reflect.Type) []string {
 
 func getRelevantRawConfigSection(rawConfig *map[string]interface{}, family, section string) map[string]interface{} {
        // log.Debugf("Fetching config section '%s' for '%s' from %v", section, family, rawConfig)
-       return (*rawConfig)[family].(map[string]interface{})[strings.ToLower(section)].(map[string]interface{})
+       cast1,ok := (*rawConfig)[family].(map[string]interface{})
+       if !ok {
+               return nil
+       }
+       cast2,ok := cast1[strings.ToLower(section)].(map[string]interface{})
+       if !ok { 
+               log.Warnf("Failed to cast config section for section %s to map[string]interface{}",strings.ToLower(section))
+               return nil
+       }
+       return cast2
 }
 
 func verifyOnlyRequiredConfigProps(rawConfig *map[string]interface{}, family, handler string, T reflect.Type) []string {
        requiredProps := findFieldsOfStruct(T)
        log.Debugf("Required fields: %v", requiredProps)
-
        relevantConfig := getRelevantRawConfigSection(rawConfig, family, handler)
 
        superfluousProperties := make([]string, 0)

You get the following errors when a transformer is named Optics_diag and interfaceExp_stats:

WARN[0000] Failed to cast config section for section optics_diag to map[string]interface{} 
WARN[0000] Failed to cast config section for section interfaceexp_stats to map[string]interface{} 

Without the patch, skogul will panic instead. This was revealed by my transformer-tests, but would apply to senders/handlers/receivers as well.

That code in general makes sense to some degree, since we should always verify that our casting works.

Feature request

I propose being able to apply a transformer to an incoming metric based on a conditional, e.g. matching it against a metadata field (sensorName, systemId, ...).

Rationale

It is possible to apply multiple transformers to the same incoming container/metric, e.g. to first split it and then flatten it.

All transformers are being tried before the container is handed over to the sender.

Currently, we have configured 10 transformers where approximately 3 transformers are run per metric (split, extract, flatten). The other ones silently fail, e.g. because the target field for extract or flatten doesn't exist. I think this is "abusing" the way transformers work.

I find two potential pain points of this.

1. The configuration can be hard to maintain simply because of the number of transformers applied to the same handler.
2. A simple transformer might apply to multiple metrics which could end up transforming/mangling the metrics in some way the user doesn't want or expect it to do, and there is no way around this (it's nice that it can happen for all of the metrics, e.g. extracting the interface name from the data set, but I think it should be possible to skip it as well)

Furthermore, I haven't really dug deep regarding this, but some of the transformers might run for a bit before they fail which could have an impact on performance. E.g. extracting nested json-objects by casting a metric into map[string]interface{} on multiple levels before it realises the field it actually wants to extract doesn't actually exist.

Potential solution

This feature could be implemented in the transformers, but at that point you wouldn't really solve the maintenance of the configuration issue.

I think that extending the handlers with a configuration option for mapping a transformer to a conditional would be the way to go.

Potential configuration:

{
  "receivers": {
    "udp": {
      "type": "udp",
      "address": "[::1]:1337",
      "handler": "next"
    }
  },
  
  "handlers": {
    "next": {
      "parser": "json",
      "transformers": [
        {
          "transformer": "interface_info",
          "when": "sensorName",
          "is": "junos_system_linecard_interface"
        }
      ]
    }
  },
  
  "transformers": {
    "interface_info": {
      "type": "split",
      "field": "if_name"
    }
  }
}

Using get-paramaters seems to be the way to go. Let's go for that, and ensure that the names of the get paramaters matches the keys in the relevant struct's. Almost all options should be available ass get parameters, and the auto-scheme should possibly be expanded to include generated documentation for it, pkg/flag-style.

It is up to each sender/receiver to verify initial configuration, but it might be useful to provide an interface that allows them to provide a verification function.

One reason this is relevant is that it will allow an operator to verify a new configuration before the old skogul instance is stopped.

An other reason is that for things like errors that are diverted to other sources, the relevant sender might not even execute at all for quite some time, so configuration errors might not be evident at all until much later.

The HTTP receiver currently doesn't really log much. It gives reasonably good responses, but for debugging, it can be tricky to know what's going on.

This issue is about adding an option to the http receiver, found in 'http/receiver.go' that lets the administrator enable/disable request logs for successfully received requests. It should log this as either Debug or Info, possibly with a difference between OK requests and invalid requests.

The HTTP receiver already logs some errors, but not all, so ideally that should be improved as well so we always log. I'm thinking adding logging to ServeHTTP, possibly removing it/changing it in handle(), but it's up to whoever decides to do the job.

A complete config file requires senders, receivers and handlers. But the actual config file parser does not.

We should leverage this to make it easier to write tests that are based on real config files.

That way, a config might be

{
   "senders": {
      "foo": { 
        "type": "fallback",
        "next": ["fail","ok","ignore" ]
      },
      "fail": { 
          "type": "forwardfail",
          "next": "fake-fail"
      },
      "fake-fail": {"type": "tester" },
      "ok": {"type": "tester" },
      "ignore": {"type": "tester" }
   }
}

The test itself will then reference c.Senders["foo"].Sender for testing, and check the count on the others....

It will require that the test-sender is exported, but that's ok.

E.g. Juniper sends systemId of the form "hostname-reX:IP", and we want to extract "hostname" from it. And the sensorName is typicially "foo:/foo-ish:/foo/foo/foo:PFE" where we just want "foo".

I'd like some benchmarks if we're doing a general purpose regex-thing, but it should be fine.

A transformer should probably:

1. Be able to read and write from the same variable (e.g.: systemId ~= s/-re.*$//)
2. Be able to read from a different variable than it writes to (E.g.: keep the original. systemIP = systemId; systemIP ~= s/^.*://)

Maybe something like:

  "type": "regex",
  "source": "systemId",
  "target":  "hostname",
  "find": "^[^-]*"

or similar?

We probably want both "replace" and "find"?

Since Splunk already uses "source" and "sourcetype", let's save ourself some headaches by renaming the field.

"category" seems appropriate.

The sender side of #17 - similar concerns apply.

Today we just blindly marshal metrics into influx line format without much attention payed to the type of data. This causes Skogul to send invalid writes to influx, which is pretty bad.

The influx sender should evaluate the metric data and either fail/error out on nested structures, or do something that is protocol-correct with it - not sure what.

Today, extract will copy data, not move it. This creates problems for things like influxdb and is semantically incorrect. An extraction, semantically, suggest it is moved from one place to an other.

If we want a copy, we should have a separate function for that. As such, extract should remove the original.

We need a flag for setting the log-level in skogul, now that we have code that actually uses it... I also want to have some more sensible output defaults (The [0000] of WARN[0000] made zero sense to me until I literally read the source code).

I think we should offer runtime control through flags for:

• log level/detail
• disabling/enabling (full) timestamps (you don't want timestamps in a systemd-context, since journald will take care of that)

While we could offer more options, limiting the flags to what we really need should be a priority.

Since there is no check if the data key exists, a nil-key will be created in the metadata. This shouldn't be the case.

Procedures for releasing should include pre-built binaries, ready to extract to, e.g., /usr/local. Preferably also including proper paths for documentation.

Need to be able to verify client certificates, possibly in addition to username/password. Should also support alternate root CA in such scenarios.

Step one is just plain hardcoded basic auth. In the future, more advanced schemes may be necessary (e.g.: ldap or oauth etc). This ticket just deals with the simplest example, but SHOULD anticipate:

1. That checking authentication and authorization needs to be modular
2. That it needs to be fast

As nice as 'go test' is, we need integration testing as well. E.g.: Build, set up influx, do some tests, verify data in influx, pull things down.

I've seen some examples, but I feel like the "go"-based examples I've seen are bit too introvert. It doesn't make sense to me to use go to run 'docker run --name influx -d influxdb; sleep 5; run-tests; docker kill....'.... but there must be some better examples/practices out there.

SSIA

We need to be able to accept writes on multiple paths and handle them differently.

Something simple like re-using the net/http path-mapping seems appropriate.

E.g.: Set up a generic postgres/influx receiver at /api/write/collect, but allow special handling of /api/write/collect/snmp.

#33 introduced support for being able to "flatten" a nested data structure. This preserves the hierarchy of the nested object, so {"some": { "sweet": "data" }} becomes { "some__sweet": "data" }. The separator is hardcoded to double underscores but this should be configurable by the user in the config.

Almost a direct copy of the postgres-sender, but for MySQL.

Should use a very simple schema in the early versions.

If we allow modifying of a Container in a Sender, we lose the ability to handle it concurrently in multiple places. But that might be OK. Needs to be well defined behavior regardless.

Issue #25 illustrates a problem that will arise when using large, consolidated data stores that do not accept arbitrary data. Specially if combined with batching of data.

A container could be sent to a sender where the sender knows how to handle some, but not all metrics. Today, the API doesn't provide any method of handling this properly. The sender has to decide what to do:

1. Send whatever it can send
2. Return error regardless of whether some metrics were successfully handled
3. Return ok as long as just one metric failed
4. ????

This is particularly problematic when HA is introduced, e.g. with fallback sender. If a producer starts sending data that a sender can't handle and it gets batched together with "good" data, the fallback sender will send all data - even data successfully written - to the next sender.

I don't have any perfect answer for this. But I'm thinking along the lines of introducing new error types: skogul.PartialFailure or similar, similar to:

type PartialFailure struct {
    Source string
    Reason string
    Succeeded []*Metrics
    Failed []*Metrics
}

#31 has a bit where the influxdb sender ignores metrics it doesn't know how to handle, but will write the remainder of them. This should be configurable.

The scenarios are:

1. Mixed data - write what you can, report errors, but don't fail. E.g.: Do not return error, which would trigger alternate paths.
2. Non-mixed data: Everything fails. This should always be an error?

I'm thinking the option should be something along the lines of "write partially marshalled data", potentially with a second option/teritary option where partially marshalled data is written, but logged/warned about. Either way, if we successfully write anything we should not return error, since that can cause data to be duplicated.

Send data to rabbitmq. Good first case since it's a plain copy of influx or postgres sender, just add rabbitmq-integration instead.

This issue is meant to just get things started on unit-testing. Basically just write tests for "whatever", but in a representative manner.

Today the InfluxDB sender gets its measurement from initialization of the sender, meaning that all data written to that sender will go to the same measurement.

There's no need for this. Instead, we can also offer a configuration variable, e.g. "MeasurementFromMetadata", which, if specified, tells the influxdb sender to read the metadatafield specified and use that as the measurement to write to.

It should probably still have some sort of fallback or default.

I knew this going in, but I never fixed it/wrote an issue on it....

When calculate how far to indent when underlining syntax errors, we don't account for how some characters are wider than others. Most critical is tabs, which tend to be 8 character wide, but this can also include other none-1-char-wide-chars (e.g.: emojis).

Random test-case reveals this.

Accepts a single Next Sender. Data sent to it is batched up into a larger set, then forwarded periodically. Typical use-cases:

Right after a HTTP receiver to gather up multiple statistics.

Before a "write-to-disk" fallback.

Must decide if it should block or not. The benefit of blocking is that we can still return status messages to clients while batching up data from multiple sources. Then a simple buffer-sender can deal with the alternate scenario where we want to ACK to clients without waiting around for stuff to "hit disk".

A document listing certain pricniples of the design is in order. It should include such things as:

1. Senders are not allowed to modify metrics. Ever.
2. If a sender creates a new container, that container should never be sent to a new sender direct, but to a handler.
3. A transformer should not set up multiple references to the same object/key (E.g.: copy the content, not a reference).
4. Receivers should, by default, use multiple go routines where possible.

And so on. This is not a comprehensive list, but the document should list these "rules" so they are easier to discuss and follow. It will also mean that policy/rules can be discussed in pull requests in a more transparent way.

The idea is to provide a sender with two handlers as config: Flat and Non-Flat.

For metrics received that are "flat", e.g., data and metadata match map[string](string|number|bool), the metrics will be passed on to the flat-handler, while others will end up on non-flat.

This will allow us to stick it in front of influx as a last-chance to divert non-flat metrics to, e.g., postgres, where we can store Anything as long as it can be marshalled to JSON.

The only actual mysql-specific item is the import statement, everything else is pretty much generic database/sql logic.

mock/pseudocode:

select metadataid from metadata where metadata.metadata = '$metadata'
if 0 results: insert ..... fetch metadataid.
insert into data (ts,metadataid,data) (ts,$id-from-above,data) ....

I have the schema here somewhere that works well.... This allows us to have efficient indexes on metadata almost regardless of the size. While we can still have decent indexes today, the storage-size is much better for the above approach. And it is less vulnerable if we end up with json-structures that aren't flat, and thus aren't really indexable.

#40 is about authenticating with a client certificate, but this issue should handle how we can carry out authorization based on client certificates.

E.g.: Even if a client has a valid certificate, we want to be able to distinguish one client from an other.

This depends on #40 being completed.

The other side of #40. Need to be able to authenticate with client certificates.

The HTTP receiver and the Switch transformer both use a custom struct/type as part of the config. But we don't expose the documentation for it.

I propose we add an optional 'custom data structures'-part to the auto-system, so you can inform the auto-system that these items have custom data strctures that it needs to expose. Ideally we shouldn't require this, since it's possible to do this by reflection, but the complexity of doing it through reflection versus just requiring an explicit declaration is such that I don't want to go down that road.

This is a reasonably high priority issue, since we currently have undocumented security-features.

The benchmarks for the parsers have revealed a difference in performance that's interesting. The benchmarking of http revealed a flawed implementation.

Having benchmarks for UDP will be very interesting...