Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[lambda][rule] processed logs will now be sent immediately to the alert processor #137

Merged
merged 2 commits into from
May 8, 2017

Conversation

ryandeivert
Copy link
Contributor

@ryandeivert ryandeivert commented May 5, 2017

to @airbnb/streamalert-maintainers
size: medium

changes

  • Refactoring the rule processor so alerts are sent to the alert processor (via sns) as they are processed.
    • Prior to these changes, we would first iterator over all logs and apply the rule logic against them, caching any that matched a rule along the way. We would finally send them to the alert processor (one at a time) after all logs had been processed.
    • These change will make this all happen sequentially and any logs that match a rule will get sent as we process (instead of caching and sending at the end).
  • Will log a message on every 100 records processed from s3 so we can track progress.
    • Adding some logic that will also try to estimate the number of records in the entire file during processing (we use a generator to avoid reading all the lines multiple times, and getting the exact line count would require reading the entire file twice).
  • Other indirect gains:
    • boto3 client creation now happens when the StreamSink class is instantiated and recycled to avoid continuously re-creating it.
    • the StreamSink class does not cache the alerts list and will send on demand
  • Removing/updating some old code (ie: things related to staging) that is no longer relevant.
  • Updating tests where applicable

@ryandeivert ryandeivert force-pushed the ryandeivert-rule-proc-optimization branch from 742599c to 070973b Compare May 5, 2017 23:08
logging.error('Cannot publish Alerts, message size is too big!')
raise SNSMessageSizeError('SNS message size is too big! (Max: 256KB)')

try:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add SNS tests via moto to verify the messages would send?

@ryandeivert ryandeivert force-pushed the ryandeivert-rule-proc-optimization branch from 26dfd8b to 4c0f850 Compare May 8, 2017 20:14
Copy link
Contributor

@jacknagz jacknagz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm-fieri

@ryandeivert ryandeivert merged commit fcd17e8 into master May 8, 2017
@ryandeivert ryandeivert deleted the ryandeivert-rule-proc-optimization branch May 8, 2017 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants