tenzir VS vector

We're building something similar at Tenzir, but more for operational security workloads. https://docs.tenzir.com

Differences to Vector:

- An agent has optional indexed storage, so you can store your data there and pick it up later. The storage is based on Apache Feather, Parquet's little brother.

- Pipelines operators both work with data frames (Arrow record batches) or chunks of bytes.

- Structured pipelines are multi-schema, i.e., a single pipeline can process streams of record batches with different schemas.

Tenzir | Remote (EU) or Hamburg, Germany | open-core | Full-time | https://tenzir.com

Tenzir is hiring several key engineering roles to meet the needs in expanding the team. Our product: security data pipelines. From the data side, think of it as an Arrow-native, multi-schema ETL tool that offers optional storage in Parquet/Feather. From the security perspective, think of it as a solution for collecting, parsing, transforming, aggregating, and routing data. We typically sit between the data sources (endpoint, network, cloud) and sinks (SIEM, data lake).

Our open-source execution engine is C++20 (https://github.com/tenzir/tenzir), our platform is SvelteKit and TypeScript. Experience with data-first frontend apps is a great plus. Open positions at https://tenzir.jobs.personio.de:

    - Fullstack Engineer

We're in the middle of getting TQL v2 [] out of the door with support for expressions and more advanced control flow, e.g., match-case statements. There's a blog post [#] about the core design of the engine as well.

While it's a general-purpose ETL tool, we're targeting primary operational security use case where people today use Splunk, Sentinel/ADX, Elastic, etc. So some operators are very security'ish, like Sigma, YARA, or Velociraptor.

[] https://github.com/tenzir/tenzir/blob/64ef997d736e9416e859bf...

[#] https://docs.tenzir.com/blog/five-design-principles-for-buil...

Hey, founder of Tenzir [1] here — We are building an open-core pipeline-first security data engine that can massively reduce your Splunk costs. Even though we go to market "mid stream" we have a few users that use us as light-weight SIEM (or more accurately, just plain log management).

We are still in early access to browse through our docs or swing by our Discord.

[1] https://tenzir.com | https://docs.tenzir.com

Download VAST v3.1 here: https://github.com/tenzir/vast/releases/tag/v3.1.0

Tenzir is a funded seed-stage startup that builds a next generation data-plane for plug-and-play security operations. Our mission is to empower defenders with an open data engineering platform to perform data-driven investigations through combination best-of-breed solutions. Our stack consists of the high-performance C++20 telemetry engine VAST, a Rust API, and a ReasonML-based frontend.

I had chat with Hannes, the DuckDB co-founder, a few weeks ago. They are building awesome stuff to become the "SQLite of OLAP". The team comes with a strong academic background and is tuned into the data engineering world.

At Tenzir, we looked at DuckDB as embeddable backend engine to do the heavy lifting of query execution of our engine [1]. Our idea is throwing over a set of Parquet files, along with a query; initially SQL but perhaps soon Substrait [2] if it picks up.

We also experiment with a cloud deployment [3] where a different set of I/O path may warrant a different backend engine. Right now, we're working on a serverless approach leveraging Datafusion (and depending on maturity, Ballista at some point).

My hunch is that we will see more pluggability in this space moving forward. It's not only meaningful from an open-core business model perspective, but also pays dividends to the UX. The company that's solving a domain problem (for us: security operations center infrastructre) can leverage a high-bandwidth drop-in engine and only needs to wire it properly. This requires much less data engineers than building a poorman's version of the same inhouse.

We also have the R use case, e.g., to write reports in Rmarkdown that crunch some customer security telemetry, highlighting outliers or other noteworthy events. We're not there yet, but with the right query backend, I would expect to get this almost for free. We're close to being ready to use Arrow Flight for interop, but it's not zero-copy. DuckDB has demonstrated the zero-copy approach recently [4], going through the C API. (The story is also relevant when doing s/R/Python/, FWIW.)

[1] https://github.com/tenzir/vast

To this end, we build the high-performance telemetry engine VAST, which at its core, ingests hundreds of thousands of events per second from high-volume data sources (such as network telemetry as NetFlow, Zeek, Suricata, and endpoint telemetry from various agents). To the user, VAST offers low-latency access through various APIs, and in particular Apache Arrow for high-bandwidth data sharing with downstream tooling. A flexible plugin API enables additional security-specific use cases on top, such as realtime matching of threat intelligence or mining of asset data for passive inventorization.

Tenzir | C++, ReasonML, Rust, Python | Remote | Open-source | Full-time | https://tenzir.com

Tenzir is a funded seed-stage startup that builds a next generation data-plane for plug-and-play security operations. Our mission is to empower defenders with an open platform to perform automated data-driven investigations through combination best-of-breed solutions. Our stack consists of the high-performance C++ database VAST (https://github.com/tenzir/vast), a Rust API, and a ReasonML-based frontend.

Our open engineering positions include:

- Database: https://tenzir.com/career/backend-engineer/

- DevOps: https://tenzir.com/career/devops-platform-engineer/

- Frontend: https://tenzir.com/career/frontend-engineer/

We are based out of Hamburg, Germany, but cultivate an agile remote-first mindset. If you live in the region and look for a System Administrator, we’d love to hear from you!

For any questions, feel free to reach out to us at [email protected].

We at Tenzir (https://tenzir.com/) are an early-stage startup that build a next generation data-plane for modern Security Operations Centers. We are looking for a frontend engineer to help us enhance the web interface to VAST (our open-core telemetry engine, https://github.com/tenzir/vast). In our stack, we use C++ for VAST , Rust and ReasonML (compiled to JS) in our API-Layer, and ReasonML on the frontend. Our website is written in ReasonML with the help of Gatsby. Our team cultivates a mindset of strong typing and functional programming, practiced end-to-end across the entire stack. We're a remote-first company, scattered across Europe. Ideally looking for someone within (+ / -) 4hrs timezone.

I am thinking about using https://vector.dev/ but would also love opinions on the best deal for lower or reasonable cost storage/querying of logs. Thanks!

job "vector" { datacenters = ["dc1"] # system job, runs on all nodes type = "system" group "vector" { count = 1 network { port "api" { to = 8686 } } ephemeral_disk { size = 500 sticky = true } task "vector" { driver = "docker" config { image = "timberio/vector:0.30.0-debian" ports = ["api"] volumes = ["/var/run/docker.sock:/var/run/docker.sock"] } env { VECTOR_CONFIG = "local/vector.toml" VECTOR_REQUIRE_HEALTHY = "false" } resources { cpu = 100 # 100 MHz memory = 100 # 100MB } # template with Vector's configuration template { destination = "local/vector.toml" change_mode = "signal" change_signal = "SIGHUP" # overriding the delimiters to [[ ]] to avoid conflicts with Vector's native templating, which also uses {{ }} left_delimiter = "[[" right_delimiter = "]]" data=<

we are doing something similar with OTEL but we are looking at using https://vector.dev/

We don't pull logs, we forward logs to a centralized logging service.

opensearch - amazon fork of Elasticsearch https://opensearch.org/docs/latestif you do this an have distributed log sources you'd use logstash for, bin off logstash and use vector (https://vector.dev/) its better out of the box for SaaS stuff.

I have done something similar in the past: you can send the logs through a centralized syslog servers (I suggest syslog-ng) and from there ingest into ELK. For parsing I am advice to use something like Vector, is a lot more faster than logstash. When you have your logs ingested correctly, you can create your own dashboard in Kibana. If this fit your requirements, no need to install nginx (unless you want to use as reverse proxy for Kibana), php and mysql.

I think there's nothing currently that combines both logging and metrics into one easy package and visualizes it, but it's also something I would love to have.

Vector[1] would work as the agent, being able to collect both logs and metrics. But the issue would then be storing it. I'm assuming the Elastic Stack might now be able to do both, but it's just to heavy to deal with in a small setup.

A couple of months ago I took a brief look at that when setting up logging for my own homelab (https://pv.wtf/posts/logging-and-the-homelab). Mostly looking at the memory usage to fit it on my synology. Quickwit[2] and Log-Store[3] both come with built in web interfaces that reduce the need for grafana, but neither of them do metrics.

- [1] https://vector.dev

Log to stdout/stderr and collect your logs with a tool like vector (vector.dev) and send it to something like Grafana Loki.