uSiem SQlite 存储

uSiem 组件，用于在 sqlite 数据库中存储事件。

实数

日志索引对于大多数用例来说足够快，在调试模式下约为每秒 5000 条日志。没有索引的 1 百万条日志（52 列）大小为 293.3 MB。每列都有索引（非文本列）的 1 百万条日志大小为 517.2 MB。

索引示例

SELECT event_created, event_received,vendor, product, service, category,tenant,tags,origin,`host.hostname`, message, `source.ip`, `user.domain`, `user.name`, `event.outcome`
FROM log_table ORDER BY event_created DESC LIMIT 10;

索引日志示例

let mut comp = SqliteDatastore::new(
    get_default_schema(),
    "./storage_db".to_string(),
    20000,
    5000,
);
let local_chan = comp.local_channel();
let (local_chnl_log_snd, local_chnl_log_rcv) = crossbeam_channel::bounded(1000);
comp.set_log_channel(local_chnl_log_snd.clone(), local_chnl_log_rcv.clone());

std::thread::spawn(move || comp.run());

for _ in 1..100000 {
    let mut log = SiemLog::new(String::from("This is a log example ..............111111111111111111111111222222222222222222222223333333333333333333333"), chrono::Utc::now().timestamp_millis(), SiemIp::V4(0));
    log.set_category(Cow::Borrowed("Authentication"));
    log.set_product(Cow::Borrowed("MagicDevice001"));
    log.set_tenant(Cow::Borrowed("Default"));
    log.set_service(Cow::Borrowed("sshd"));
    log.set_vendor(Cow::Borrowed("MagicDevices"));
    log.set_event(SiemEvent::Auth(AuthEvent {
        hostname: Cow::Borrowed("hostname1"),
        outcome: LoginOutcome::FAIL,
        login_type: AuthLoginType::Remote(RemoteLogin {
            domain: Cow::Borrowed("CNMS"),
            source_address: Cow::Borrowed("10.10.10.10"),
            user_name: Cow::Borrowed("cancamusa"),
        }),
    }));
    let _ = local_chnl_log_snd.send(log);
}
// Stop the component
std::thread::sleep(std::time::Duration::from_secs(10));
let _ = local_chan.send(SiemMessage::Command(
    1,
    1,
    SiemCommandCall::STOP_COMPONENT(Cow::Borrowed("Stop!!")),
));