In all there are 2 CloudFormation stacks that are managed via the

matano deploy

CLI, which is a CDK app. Aside from baseline stuff, there are resources dynamically allocated based on your configuration. But it's those basic ones.

It's definitely cheaper than Splunk or Sumologic. 😛

Probably cheaper than CloudWatch Logs too. 😁

Ok, so it does deploy CFTs. That would make cleanup easier. I did a quick look at the repo and didn't see any templates. CDK (like Discord) is that new fangled stuff that kids these days use. Back in my day.....

Yep we compile the yml in a Matano directory to CDK to CFN templates that deploy to a stack in your account

And

matano destroy

will tear those stacks back down.

I'd be curious what's left behind (buckets, tables, etc). Probably just as easy to spin up a matano account and close it when I'm done with the POC

and might make a good blog post

good question. I don't remember off the top of my head because I would never destroy my Matanos. I think they made it to where it would clean up the data as well, if desired. But I've also seen mentions recently of Glue tables being left behind.

Yep the

matano destroy

command is currently meant to just destroy everything

@binarysouljour Welcome!

Hey, thanks @shaeq it is good to be here

Hi there! Wondering if you know VAST platform (vast.io). In some ways it looks to me the project has a similar main objective as Matano (though I perceive Matano much easier to grasp and understand). Obvious things aside, could you kindly point to some of the main differences in implementation, philosophy, architecture, etc. ?

I was gonna say I didn't know it, but I have the repo starred. Lemme take a quick look. 😛

Quick skimming tells me they're positioned as competition to Cribl. A big portion of their docs are about reducing data volume before sending it to your SIEM. It's written in C++.

Looks like they run server nodes (instead of being fully serverless like Matano is with Lambda). Their AWS doc shows server nodes running on Fargate.

This is an odd choice: > For storage, VAST uses EFS.

There's definitely some overlap, and it looks like a cool project.

They seem to have built a lot of the components themselves (like their own query language, their own type system), whereas Matano utilizes a handful of mature technologies like ECS schemas, VRL for transforms, Iceberg for table storage, etc.

Very good. Thank you very much @timoguin

I agree about storage choice

And definitely I’m more inclined to serverless approach. Vast has its very roots on solving the issue of storing and querying the vast amount of data that can be produced from Zeek(a Network Security Monitoring) platform. From there, they evolved to what they are today. It has great academic roots and they try to solve a similar problem that Matano does. I personally favor Matano’s approach on building a Rust based serverless platforms on top of proven cloud native storage. So keel up the good work! 🤓

Welcome @boredbear @YuvSch and @Fauxpro !

dropped my log configs for osquery in to https://github.com/matanolabs/matano/issues/133, should be enough in there to make a managed source for it? there's lots of further ingestion stuff that a user might want to do which i assume they can do in a custom log source that inherits from the managed source

I also have teleport log ingest configuration I'm happy to share. Less clear is that there's any easy/supported way to get the logs in to AWS which is nice to have for a managed log source. I am using vector to read the audit events from a file and spray them at a firehose that writes to the ingestion bucket

https://github.com/matanolabs/matano/issues/150 teleport log ingest

Thanks, this is very awesome! I will take a closer look soon.

Fantastic work, @chrismsnz!

thanks for upstreaming that teleport stuff! shout out to my employer fly.io who are more than happy for me to hand back any work i do as part of our PoC deployment

Yes Chris, thanks for the initiative and great work on contributing both Teleport and OsQuery integrations! Both will be merged soon.