Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monitoring APIs for realtime and historical data #715

Merged
merged 23 commits into from
Sep 26, 2024
Merged

Monitoring APIs for realtime and historical data #715

merged 23 commits into from
Sep 26, 2024

Conversation

gsanchietti
Copy link
Member

@gsanchietti gsanchietti commented Aug 9, 2024
edited
Loading

Local reports

Issue #756

Local reports are used to visualize data in real time.
All data are stored in memory, so when the machine is rebooted all historical data get lost.
Also, to minimize disk space usage, some data are aggregated or removed at regular interval.

The following APIs can be used to draw charts and graphs directly inside NethSecurity Web UI.

1. DPI report

APIs are inspired by lightsquid report, see demp

APIs are inside ns.dpireport.

  • List of available days: list-days method
  • Total daily traffic, divided by client, sorted in descending order: summary method, clients field
  • Total daily traffic, divided by destination, sorted in descending order: summary method, host field
  • Total daily traffic, divided by protocol (pie chart): summary method, protocol field
  • Total daily traffic, divided by application (pie chart): summary method, application field
  • Chart of total traffic by hour: summary method, hours field
  • For each client/day:
    • Total daily traffic: summary-by-client method, total field
    • Total daily traffic by application: summary-by-client method, application field
    • Total daily traffic by protocol: summary-by-client method, protocol field
    • List of visited hosts: summary-by-client method, host field
    • Traffic by hour: summary-by-client method, hour field

2. Malware: threat shield IP

API named tsip-malware-report inside ns.report.

Only current day data (if available):

  • Total number of blocked packets for the day: malware_count field
  • Number of blocked packets per hour: malware_by_hour field
  • Pie chart: malware by direction (in/out): malware_by_chain field
  • Pie chart: malware by category: malware_by_category field

3. Threats: threat shield IP (fail2ban behavior)

API available inside ns.report, named tsip-attack-report

Only current day data, if available

  • Number of blocked IPs per day: attack_count field
  • List of most blocked IPs: attack_by_ip field
  • Graph of blocked IPs per hour: attack_by_hour field

4. Multiwan

API available inside ns.report, named mwan-report

Only current day data, if available:

  • Number of online/offline events today: total_online and total_offline fields
  • Scatter plot with online/offline events per WAN: events_by_wan field

APIs available inside ns.report, the API is named mwan-report.

5. OpenVPN Road Warrior

APIs available inside ns.report.

Data are read from a sqlite database that is reset only after a reboot.

  • List of available days: ovpnrw-list-days method
  • List of connected clients per day: ovpnrw-clients-by-day method
  • Number of connected clients per hour: ovpnrw-count-clients-by-hour method
  • Total client traffic per hour: ovpnrw-bytes-by-hour method
  • Traffic per client per hour: ovpnrw-bytes-by-hour-and-user method

Remote reports

Issue #754

Remote reports are implemented inside a NethSecurity Controller.
Data are permanently stored inside a non-volatile database.

See server implementation NethServer/nethsecurity-controller#38

A unit connected to a controller, will send all data to the controller every 15 minutes.

The following APIs have been designed to be called from a cron job, the result must be sent to the controller.
New APIs are implemented inside ns.controller:

  • dump-ts-malware
  • dump-ts-attacks
  • dump-mwan-events
  • dump-dpi-stats
  • dump-openvpn-connections

@gsanchietti gsanchietti marked this pull request as draft August 9, 2024 14:00
@gsanchietti gsanchietti self-assigned this Aug 9, 2024
@gsanchietti gsanchietti mentioned this pull request Aug 21, 2024
Merged
@gsanchietti gsanchietti changed the title Reports API (prototype) Reports APIs Aug 21, 2024
@gsanchietti gsanchietti added this to the NethSecurity 8.3 milestone Aug 21, 2024
@gsanchietti gsanchietti changed the title Reports APIs Reports client APIs Aug 21, 2024
@gsanchietti gsanchietti mentioned this pull request Aug 21, 2024
Merged
@gsanchietti gsanchietti changed the title Reports client APIs Monitorin client APIs Sep 4, 2024
@gsanchietti gsanchietti changed the title Monitorin client APIs Monitoring client APIs Sep 9, 2024
@gsanchietti gsanchietti marked this pull request as ready for review September 16, 2024 07:08
@gsanchietti gsanchietti changed the title Monitoring client APIs Monitoring APIs: realtime and for controller Sep 24, 2024
@gsanchietti gsanchietti changed the title Monitoring APIs: realtime and for controller Monitoring APIs for realtime and historical data Sep 24, 2024
gsanchietti and others added 22 commits September 26, 2024 10:17
@gsanchietti
ns-api: add ns.report
e112a81
@gsanchietti
ns-api: dpireport, fix hours array in summary
c61bb31
@gsanchietti
ns-api: dpireport, add summary-by-client and limit param
b092186
@gsanchietti
ns-api: dpireport, remove details API
800af14 
The same info is contained inside summary-by-client API
@gsanchietti
ns-api: controller, add export dump functions
260045a
@gsanchietti
ns-plug: add ns-push-report script
4981243 
The script will be executed every x minutes by a cronjob
@gsanchietti
ns-plug & ns-api: automatically send data to controller
52e2ea8
@gsanchietti
ns-plug: set unit name for report
5aac8b4
@gsanchietti
ns-api: controller, remove timezone for attacks
5855b66
@gsanchietti
ns-report: dpireport, restart threads on failure
f8e6090 
Sometimes the dpireport daemon can die without writing anything
inside the /var/log/messages.
Try to avoid this issue by restarting the threads if an
unhandled exception occurs: the exception is now
printed to syslog; this should help during troubleshooting
@gsanchietti
ns-api: dpireport, restore previous response format
5f1b43c 
The new format was breaking dashboard charts.
@andre8244 @gsanchietti
ns-api: ns.report, fix first_seen
966d036
@gsanchietti
ns-api: controller, add dump-openvpnrw-config
eab3374
@gsanchietti
ns-api: controller, add dump-openvpn-config
66f9153 
Dump OpenVPN Road Warrior and Tunnel configuration
@gsanchietti
ns-api: controller, add dump-wan-config
a0c3de6
@gsanchietti
ns-plug: push limited config to controller
3602044 
Push limited OpenVPN and WAN configuration:
data can be used to improve existing dashboards
@andre8244 @gsanchietti
ns-api: minor fix to api docs
1c324af
@gsanchietti
ns-api: controller, add wan status to dump_wan_config
0885957
@gsanchietti
ns-api: add ns.report to package
8ad4adb
@gsanchietti
ns-plug & ns-api: refactor for new controller API endpoint
a1290c0
@gsanchietti
ns-api: controller, fix attack regexp
7ce2cd4 
Search for "add IP" instead of "suspicious IP" inside the logs.
@gsanchietti
ns-api: report, fix attack regexp
dd549eb 
Search for "add IP" instead of "suspicious IP" inside the logs.
andre8244
andre8244 approved these changes Sep 26, 2024
View reviewed changes
packages/ns-api/README.md Show resolved Hide resolved
@gsanchietti @andre8244
ns-api: improve README
790bf14 
Co-authored-by: Andrea Leardini <[email protected]>
@gsanchietti gsanchietti merged commit aa3b426 into main Sep 26, 2024
1 check passed
@gsanchietti gsanchietti deleted the report branch September 26, 2024 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andre8244 andre8244 andre8244 approved these changes

Assignees

@gsanchietti gsanchietti

Labels
None yet
Projects
None yet
Milestone
NethSecurity 8.3
Development

Successfully merging this pull request may close these issues.
2 participants
@gsanchietti @andre8244