Szasza
commented
3 months ago Hi @seanthegeek ,
I use Grafana together with OpenSearch.
-
With regards to the fork between ES and OS, right now the differences are not major. The query language, the API for search/ingestion/management, and the connection protocols are the same. The differences, if any, are usually around ES' paid features, which are not of concern for
parsedmarcat the moment. -
The bigger issue however is that Kibana and OpenSearch Dashboard are heading in the direction of being two entirely different tools. Although both support the Lucene Query Language, both Kibana and OpenSearch Dashboard have their own additional query languages by now. Also although the migration from one to another seems to be easy on the surface, the devil is in the details of the individual panels. Not to mention the differences between the individual Kibana versions.
-
As for updating Grafana, it shouldn't take too long based on the above. An interesting question however is the supported Grafana version(s). In v9 the pie chart and the world map panels (visualisations) have been replaced with a new piechart and geomap panels which require a different config compared to v8. The graph panel has also been upgraded. As some providers, such as AWS allow both v8 and v9 to be used in Amazon Managed Grafana, both versions' maintenance may be needed.
Now to the maintenance of the various dashboards. As there are a variety of visualisation and data store solutions and versions, it may worth putting together some automated tests using the different containers (OS, Grafana, ES, Kibana, Kafka, whatnot). The charts can be verified using headless Firefox and Playwright - taking screenshots and comparing them to golden images.
Last but not least, changing source_Base_domain to source_base_domain won't break OS/ES backward compatibility as they convert everything to lowercase. You can check that by getting an OpenSearch environment up and running, for example from https://github.com/Szasza/dmarc-visualizer-opensearch.
seanthegeek
When I initially built
parsedmarcI pushed the parsed DMARC data to Elasticsearch and visualized it with Kibana and visualized it with Kibana both as a proof of concept and as a way to keep the entire solution open source. Later on, Graphana dashboards were added, but those haven't been updated in 2 years.These days, I'm pushing the results to Splunk and using Splunk dashboards to visualize the results. I've made some improvements to the Splunk dashboards recently, but I don't have an ELK or OpenSearch instance to maintain the other dashboard solutions.
The changes I've made include:
dkim_alignedfiled from theDKIM alignment detailsdashboard widget, becausedkim_alignedrefers to the email as a whole, not that particular row, which can lead to some confusionSPF alignment detailswidget toSPF detailsDKIM alignment detailswidget toDKIM detailsMessage sources by name and typewidget, which counts messages by the newly addedsource_nameandsource_typefieldsauthentication_resultsfield to theForensic Samplesdashboard widgetI'd like to keep all of the dashboards up to parity, but I'm not sure what's the best way to do that. My understanding is that OpenSearch is a fork of ELK before undesirable licensing changes were made. Newer versions of ELK won't allow forked clients to connect. I'm wondering:
parsedmarcdashboards for Kibana were made long before the fork, can they still be used by both OpenSearch Dashboards and modern releases of Kibana?Also, after all this time, I just noticed that the
source_Base_domainfield in theelasticandopensearchmodules forparsedmarcshould have been namedsource_base_domainto match every other field, which is all lowercase. I'm guessing changing that now would break backwards compatibility, right?https://github.com/domainaware/parsedmarc/blob/master/parsedmarc/elastic.py#L63C32-L64C5
https://github.com/domainaware/parsedmarc/blob/master/parsedmarc/opensearch.py#L62
@Szasza I'm hoping you can answer some of these questions since you contributed the
opensearchmodule.