3.1. Trisul distributed domain concepts

Trisul 6.0 is a streaming distributed analytics platform. There are “Trisul Probes” which acquire and process network data and there are “Trisul Hubs” which provide the database function. The “Trisul Probes” are not just dumb collectors but actually contain the main streaming analytics function. You can even connect the output of a Trisul Probe to a separate backend like Elastic Search.

The following diagram illustrates the components involved

the domain domain0
the trisul-probe nodes probe0 probeEAST and probeWEST
the trisul-hub node hub0

Trisul domain components

The domain represents a top level management group within which you create a topology of probe nodes and hub nodes. All the nodes are logical entities and you can install them all on a single physical machine or distribute them on different machines.

3.1.1 Domain nodes terminology

The following logical concepts are key to understanding a Trisul domain.

Domain – the top most level management group
Context – a separate monitoring instance. You always start, stop, and view data within a context.
Profiles – a probe configuration
Probes – the packet capture and streaming analytics
Hubs – a database node

3.1.2 Domain

The topmost entity in Trisul called a domain. The default domain you are likely using is called domain0.

A domain is a top level membership group which includes probes and hubs. Each probe and hub instance must belong to one and only one domain. You can also have multiple domains – each domain is disjoint from every other domain but the hardware can be shared.

3.1.3 Contexts

A context is a separate database that represents an instance of Trisul monitoring a particular network or dataset. You start and stop contexts as a unit. You also view reports and perform analytics within a context. By default Trisul puts all data into a single context called context0. You can create additional contexts using the trisulctl_hub tool.

The rules

a context accepts data from multiple probes
a single probe can supply data to multiple contexts
a context database is stored on a single hub – currently only on hub0
you select a context while logging in to the web interface

Contexts A context is a separate database

3.1.4 Profiles

Profiles are just configuraton for probes inside of a context. Typically you would want each probe in a context to use the same profile. A profile includes such things as counter groups, thresholds, flow trackers, and the other things that you would find when you login as Admin > Admin.

Profiles are just configuration for probes

3.1.5 Probes

Probes are the main processing component of Trisul. They run the main processing pipeline from the packet acquisition to streaming stats generation. The function of probes are

high speed packet capture
packet storage
netflow packet capture
run the analytics pipeline
host all the LUA scripts written by users
store packet locally after encryption
send the analytics stream to a hub node (currently hub0 )

A probe can run in multiple contexts and multiple domains. There will be different instances of the probes running isolated from each other.

Probes are managed using the trisulctl_probe command line tool

Probes transform packets into analytics streams.

Packages The “trisul-probe” package provides the Probe function

3.1.6 Hubs

Hubs provides the database and querying functionality. Data from all the Probes stream into to a Hub and are stored here. The only data that stays on the Probe are the raw packets.

Hubs are managed using the trisulctl_hub command line tool

Packages The package “trisul-hub” provides the Hub function. The package “webtrisul” which resides on the same node provides the webserver.

3.1.7 Security

The authentication used to connect various nodes to the domain is ZeroMQ CURVE security using certificates. CURVE uses elliptic curve encryption and cryptography. See CurveMQ for more.

Each node needs a certificate key pair to connect to the domain
The command line tools trisulctl_probe and trisulctl_hub allow you to manage the whole setup easily