opencti icon indicating copy to clipboard operation
opencti copied to clipboard

Published 20 hours ago verified publisher icon OpenCTI-Platform

Extremely slow ingestion rate for Hygiene and ImportExternal

Open brianyschae opened this issue 1 year ago • 5 comments

Description

Ingestion rate for these two connectors seem very slow even when providing more resources to the workers (CPU and RAM). Other connectors have no issue and are fast but these connectors' queues seem to be building up.

Environment

  1. OS (where OpenCTI server runs): docker
  2. OpenCTI version: 5.12.29
  3. OpenCTI client: python
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario: None

Expected Output

Actual Output

Additional information

Listen queue is building up on both connectors, not the push queue

Screenshots (optional)

Screenshot 2024-02-14 at 11 15 25 AM Screenshot 2024-02-14 at 11 16 12 AM

brianyschae avatar Feb 14 '24 19:02 brianyschae

@brianyschae may be worth a check if Redis is throwing issues

https://github.com/OpenCTI-Platform/opencti/issues/4936

MaxwellDPS avatar Feb 15 '24 22:02 MaxwellDPS

We are still chasing the issue, is there anyone can give any direction?

We found some logs related to message queue, for example, "('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))" and "message": "ConnectionClosedByBroker", ...

The suspect is our system recently started to ingest an unusual amount of data per day (~500K/d), and the connectors or the feeding system to the connectors are not being able to cope up with this ingestion volume,

  • is this suspicion make sense?
  • Does anyone know how scalable are these connectors?

Also,

  • how frequently these connectors are triggered to run? The question is, if new batch of data is pushed to the queue next day (while the old data is still being processed), will another trigger create new instance of the connector?
  • How the trigger mechanism works?
  • Is it for each observable or for a batch of data?

Sorry for all the questions, we are trying to pin point the issue with clear understanding with the codebase which is not so familiar to us for everyday job. So, any direction / diagram / link would be super helpful!

SadiHassan avatar Feb 21 '24 21:02 SadiHassan

Hello,

The hygiene connector is known to be able to handle 1 enrichment / sec. If you need more, please just spawn multiple hygiene connectors with the same ID and same token.

Kind regards, Samuel

SamuelHassine avatar Feb 22 '24 13:02 SamuelHassine

@SamuelHassine thank you for the answer.

  • do ImportExternalReference also has the same speed?

In our deployment, adding more pods should do the job I guess. Thank you!

SadiHassan avatar Feb 22 '24 13:02 SadiHassan

Enrichment connectors are doing the work sequentially (not in parallel), ImportExternalReference is downloading a page and generating a PDF. In some cases I think it can be even worse.

We will work on more parallel processing in the upcoming weeks.

SamuelHassine avatar Feb 22 '24 14:02 SamuelHassine