178 hive sentinel clickhouse pixie#193
Conversation
…pe, and convert timestamp to nanoseconds
Signed-off-by: entlein <einentlein@gmail.com>
Signed-off-by: entlein <einentlein@gmail.com>
Signed-off-by: entlein <einentlein@gmail.com>
… tetragon, http, dns, STIX) And fix ETL problems * Add ClickHouse table initialization SQL for ETL pipelines (kubescape, tetragon, http, dns, STIX) Implement Makefile target to auto-create ClickHouse tables via temporary Kubernetes pod Configure Pixie ETL and STIX ETL auto-start in Flask on boot Add Flask endpoints to control Pixie ETL lifecycle (start/stop) Set up local ClickHouse port-forwarding workflow for development Validate ClickHouse connectivity with secure credentials Clean up ETL controllers and align with modular Flask structure Fix typing errors with ETLs --------- Co-authored-by: laborant <laborant@labs.iximiuz.com>
* add request parameters and filters for pixie etl * fix the filters --------- Co-authored-by: laborant <laborant@labs.iximiuz.com>
* add request parameters and filters for pixie etl * fix the filters --------- Co-authored-by: laborant <laborant@labs.iximiuz.com>
* add request parameters and filters for pixie etl * fix the filters * finalize test implementation --------- Co-authored-by: laborant <laborant@labs.iximiuz.com> Co-authored-by: Mehmet Berk Gürçay <mehmet.gurcay@danfoss.com>
…loyed-publicly' into 178-hive-sentinel-clickhouse-pixie
- Add Makefile target `hive-sentinel` for clean one-command deployment - Use `values.yaml.template` processed with `envsubst` for dynamic vars - Deploy Hive Sentinel via Helm with auto namespace creation - Supports dynamic image override and CI-friendly flows
|
I have worked on my lab, I can see the kubescape and tetragon logs on pixie. And also deployed the hive_sentinel to the cluster. |
|
I also added endpoints to fetch and filter the contents of clickhouse database tables. Currently, it is just to see content of the database. But we can extend |
|
Pixie ETL is also there, in the attach screenshots, it shows we fetch http_events with webapp namespace into its table, and also do stix transformation for it into http_stix table |
|
Please find my lab script at I merged all into a single PR with this one. so, if we are happy with this version, we can abandon the other 3 PRs (#185, #190, #191) I went through all the commands on the lab, did not encounter any runtime errors or empty returns. And generally I observed the expected results The Hive Sentinel text on the lab might not be perfect, but we can improve on that later |
entlein
left a comment
entlein
left a comment
There was a problem hiding this comment.
I read and tested the code and lab. THANK YOU, this is great!
Merge: YES - Reason: Since all labs that have dependencies are build off feature branches, merging the vector/soc.yaml wont break anything.
Tomorrow: We will together review the pattern-matcher and determine any next urgent steps.
All in all: this is now going in exactly the right direction, looking forward to see part 2 tomorrow.
I assume that the vector/soc.yaml will be fixed with the next PR
entlein
merged commit c8675e0
into
173-honeycluster-with-db-and-pixieconnectors-can-be-deployed-publicly
2 participants
Added ClickHouse table initialization SQL for ETL pipelines (kubescape, tetragon, http, dns, STIX) via init configuration.
Configured Vector to sink Kubescape and Tetragon data into ClickHouse automatically.
Configured Kubescape and Tetragon STIX ETLs to auto-start in Flask on boot, so data inserted into ClickHouse via Vector is automatically transformed into STIX.
Added Flask endpoints to control Pixie ETL lifecycle (start, stop, status). Implemented ETLs for dns_events and http_events tables from Pixie.
Implemented Pixie STIX transformation and integrated it into the Pixie ETL, allowing Pixie data to be transformed into STIX while storing it in ClickHouse.
Added unit tests for Hive Sentinel, covering Pixie ETL, STIX ETL, and endpoint behavior.
Adjusted GitHub Actions to tag Hive Sentinel images by branch.
Added a Make command to deploy Hive Sentinel to the cluster, allowing direct ClickHouse DB access through cluster DNS without requiring port forwarding.
Added endpoints to fetch and filter the contents of clickhouse database tables. Currently, it is just to see content of the database.