11<p align =" center " >
2- <img src =' https://user-images.githubusercontent.com/379404/29615818-4b80a2fc-87dd -11e7-854f-b80b345580b8 .png ' width =400/ >
2+ <img src =' https://user-images.githubusercontent.com/379404/30030273-940a4d4e-915a -11e7-89be-f0c2e066ecf8 .png ' width =400/ >
33</p >
44
55<p align =" center " >
6- Cistern is a network flow collector.
6+ Cistern is an event aggregation and indexing system. Cistern consumes VPC Flow Logs and JSON events
7+ from AWS CloudWatch Logs and exposes a SQL-like querying interface.
78</p >
89
910![ experimental] ( https://img.shields.io/badge/status-experimental-orange.svg )
@@ -15,175 +16,14 @@ Cistern is a network flow collector.
1516
1617* CloudWatch Logs
1718 * VPC Flow Logs
19+ * JSON CloudWatch Logs events
1820
1921Coming soon:
20- * JSON CloudWatch Logs events
2122* sFlow v5
2223
23- ## Getting started
24+ ## Documentation
2425
25- Cistern has no external dependencies.
26-
27- ```
28- Usage of ./cistern:
29- -api-addr string
30- API listen address (default "localhost:2020")
31- -config string
32- Path to config file (default "./cistern.json")
33- -data-dir string
34- Data directory (default "./data/")
35- ```
36-
37-
38-
39- #### Config file
40-
41- The config file has two main options:
42-
43- * cloudwatch_logs: A list of CloudWatch Logs log groups to consume. See [ VPC Flow Logs] ( #vpc-flow-logs ) for more details.
44- * retention: The retention of events in days.
45-
46- ``` json
47- {
48- "cloudwatch_logs" : [],
49- "retention" : 3
50- }
51- ```
52-
53- ### VPC Flow Logs
54-
55- You can specify the flow log groups to consume in the config file.
56- In the ` cloudwatch_logs ` section, add an object for each log group
57- with the name and ` flowlog: true ` .
58-
59- ** Example**
60-
61- ``` json
62- {
63- "cloudwatch_logs" : [
64- {
65- "name" : " flowlogs"
66- "flowlog" : true
67- }
68- ],
69- "retention" : 3
70- }
71- ```
72-
73- #### Credentials
74-
75- Cistern will try to use AWS credentials from the following locations:
76-
77- * The environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
78- * The Shared Credentials file (~ /.aws/credentials)
79- * EC2 Instance Role Credentials
80-
81- To specify the region, set the AWS_REGION environment variable.
82-
83- ## Querying
84-
85- You can query Cistern using the API or the CLI, which uses the API.
86- Most of the logic is built into the API, so it's not a bad idea to
87- learn how the API works in order to make sense of the CLI.
88-
89- ### API
90-
91- ** POST /collections/: collection /compact**
92-
93- This endpoint enforces the retention policy for the collection.
94-
95- ** POST /collections/: collection /query**
96-
97- This endpoint queries events within a collection.
98-
99- The query endpoint accepts a ** Query** object, which has the following
100- syntax:
101-
102- ``` js
103- Query: {
104- /* All of the following are optional. */
105- " time_range" : TimeRange
106- " columns" : []Column
107- " group_by" : []string
108- " filters" : []Filter
109- " point_size" : integer
110- " order_by" : []string
111- " limit" : integer
112- " descending" : bool
113- }
114-
115- TimeRange : {
116- " start" : string
117- " end" : string
118- }
119-
120- Column: {
121- " name" : string
122- " aggregate" : string
123- }
124-
125- Filter: {
126- " column" : string
127- " condition" : string
128- " value" : *
129- }
130- ```
131-
132- #### Filters
133-
134- Filters are applied as the first stage of query execution. A filter requires
135- a column name, a condition, and a value for the condition. The supported
136- conditions are:
137-
138- * ** eq** : equal
139- * ** neq** : not equal
140-
141- If multiple filters are specified, they are applied in an "AND" condition.
142-
143- #### Generating time series
144-
145- Time series can be generated by providing a nonzero ` point_size ` . This will
146- automatically group events by time ranges determined by the provided point size.
147-
148- ### CLI
149-
150- ```
151- Usage of ./cistern-cli:
152- -address string
153- Cistern node address (default "http://localhost:2020")
154- -collection string
155- Collection to query
156- -columns string
157- Comma-separated list of columns to aggregate.
158- Example: 'sum(bytes), sum(packets)'
159- -descending
160- Sort in descending order.
161- -end int
162- End Unix timestamp
163- -filters string
164- Comma-separated list of filters.
165- Filters have the format '<column> <condition> <value>'.
166- Possible conditions are [eq,neq].
167- Values have to be valid JSON values.
168- Example: 'dest_address neq "172.31.31.192" , packets eq 3'
169- -group string
170- Comma-separated list of fields to group by.
171- Example: 'source_address, dest_address'
172- -limit int
173- Maximum number of events to return.
174- -order-by string
175- Comma-separated list of columns to order by.
176- Providing multiple columns means the results are ordered
177- by the first column, then the next, etc.
178- -point-size duration
179- Point size of time series. 0 means series will not be generated.
180- -start int
181- Start Unix timestamp
182- -version
183- Show version and exit.
184- ```
185-
186- The CLI prints the output of the API response in JSON format.
26+ The official documentation is available on the [ Cistern website] ( https://cistern.github.io/docs/ ) .
18727
18828## License
18929
0 commit comments