[IntelMQ-dev] Speed dumping events in bots
Kamil Mankowski
mankowski at cert.at
Wed May 17 10:48:43 CEST 2023
Great, thanks for the use case explanation
Best regards,
Kamil Mankowski
CERT.at GmbH
www.cert.at
On 5/17/23 08:25, Mika Silander wrote:
> Hi Kamil, Aaron, all,
>
> Thanks for your comments. Of all suggestions, I'll try setting the error_max_retries first. At the moment I don't know the future proportion of events needing immediate dumping vs. those that merit a retry. However, if it turns out dumping is the most common case, setting the error_max_retries will suffice.
>
> The background motivation here is that those cases dumped immediately are in our setup a sign of missing bot configuration information or a flawed bot configuration. Once the configuration is fixed, we may push the dumped events again through the bot using intelmqdump, and the bot should be able to process the events without problems. I hope Kamil this answers your question below.
>
> Br, Mika
>
> ----- Original Message -----
> From: "Kamil Mankowski via IntelMQ-dev" <intelmq-dev at lists.cert.at>
> To: "intelmq-dev" <intelmq-dev at lists.cert.at>
> Sent: Tuesday, 16 May, 2023 16:27:51
> Subject: Re: [IntelMQ-dev] Speed dumping events in bots
>
> Hi,
>
> I'm not aware of any way to just dump the message after the first issue.
> You could implement this feature - this would be just change in the
> intelmq.lib.bot. I'd suggest implementing a config option how the
> library should behave, and then keep the current flow as default.
>
> However, how do you need retries after dumping message? If not, then the
> 'error_max_retries' should be set to 1 for the bot you require. But it
> would disable the retries for given bot.
>
> Best regards,
> Kamil Mankowski
> CERT.at GmbH
> www.cert.at
>
> On 5/15/23 11:40, Mika Silander wrote:
>> Hi again,
>>
>> Afaik, if handling an event fails in a bot, the default behaviour of a bot is to sleep 15 seconds and then retry processing. If the retry fails, the bot dumps the event and picks the next event from the inqueue. We have a bot where it would be desirable to change this default behaviour so that the dump is done immediately on the first failure. Is there a way to configure a single bot to behave differently from other bots as described? Or will a change in configuration affect the entire bot net?
>>
>> If there's no easy way configuring, I guess technically I could implement exceptions to be thrown in those situations where quick dumping is desired and then call the _dump_message(?) method. However, I would prefer to modify as few bots of the official distribution as possible.
>>
>> Comments, pointers to docs, sources or the like are most welcome.
>>
>> Br, Mika
>> _______________________________________________
>> IntelMQ-dev mailing list
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>> https://intelmq.readthedocs.io/
>
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://intelmq.readthedocs.io/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x3E911155943C0414.asc
Type: application/pgp-keys
Size: 9996 bytes
Desc: OpenPGP public key
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20230517/6557c3a4/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20230517/6557c3a4/attachment.sig>
More information about the IntelMQ-dev
mailing list