Switching to message queuing system for output
There is a potential performance issue there because, the building the alert message trigger the locking of ressources like flow. It will thus be interesting to switch:
- to asynchrounous I/O operation OR
- to a message queuing system where an alert structure build from a copy of information is sent to the output modules.
Updated by James Mistry over 6 years ago
I'm interested in this as a way of using Suricata as a pre-filter for traffic/parse results to be passed to external software components - that are very loosely-coupled with Suricata - for more advanced/complex analysis in real-time.
Some things that would make this feature work well for this use case:
- Messages are serialised to a format that supports explicit/formal schemas, ideally that can be evolved in a backwards-compatible way. For example, Apache Avro or Protobufs.
- Output flow/packet parse results with alerts, as well as raw packet/session data, in a way that is cheap to de-serialise (e.g. avoid Base64).
- Control topics associated with messages within the signature.
I'm happy to have this feature assigned to me if that helps.
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to New
- Assignee changed from Eric Leblond to Anonymous
- Target version changed from 70 to TBD
- Effort set to medium
- Difficulty set to high
Setting difficulty to high as this could severely impact perf if done wrong.
Updated by Jason Ish about 4 years ago
I propose we close/reject this issue as its something we often agree is not to be part of Suricata. Our queue is the disk, or the socket or named pipe (and whatever is at the end of that). And we have other issues to address specific performance issues of the logging output.