cea-sec / openwec

An implementation of a Windows Event Collector server running on GNU/Linux.
GNU General Public License v3.0
49 stars 20 forks source link

Add observability metrics to OpenWEC server #189

Open vruello opened 2 hours ago

vruello commented 2 hours ago

Observability metrics need to be produced and exposed by the OpenWEC server.

Which metrics?

I think the following metrics would be interesting to have:

From a developer's point of view, it would also be interesting to optionally add more timing metrics, for example to measure the amount of time spent in parts of the code. For example, when we receive a batch of events, it would be interesting to know how much time we spend decrypting, decompressing, parsing xml, formatting events, writing formatted events to each output, generating response and encrypting response.

Feel free to suggest other metrics!

Which protocol/format?

There are multiple ways to expose/transmit metrics. After a brief state of the art, I think we need to choose between:

Both have pros and cons:

Which library?

I'm currently working on a prototype with prometheus_client where the OpenWEC server would expose a HTTP server dedicated to metrics (different listening addr/port).

tarokkk commented 2 hours ago

Prometheus (I'm not sure about the rust client) also supports a push-based model via remote_write.