tenzir-docs
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTenzir Documentation Map
Tenzir文档地图
The low-code data pipeline solution for security teams
Tenzir is a data pipeline engine for security teams. Run pipelines to collect,
parse, transform, and route security data. Deploy nodes on-prem or in the cloud,
and manage them via the Tenzir Platform.
面向安全团队的低代码数据管道解决方案
Tenzir是面向安全团队的数据管道引擎。运行管道以收集、解析、转换和路由安全数据。可在本地或云端部署节点,并通过Tenzir Platform进行管理。
How to use this skill
如何使用本技能
Navigate the documentation based on the type of question:
| Question type | Where to look |
|---|---|
| "How do I…" tasks | Guides — step-by-step instructions organized by task |
| Operator or function syntax | Operator Index or Function Index, then the specific page |
| Integration setup (Splunk, Kafka, S3…) | Integrations — per-product setup and pipeline examples |
| Concepts (nodes, pipelines, deployment) | Explanations — architecture and design |
| Learning from scratch | Tutorials — guided lessons |
| TQL language rules | Language, Expressions, Statements |
Always read the relevant page before answering. Prefer TQL examples from the
documentation over inventing syntax.
根据问题类型查阅对应文档:
| 问题类型 | 查阅位置 |
|---|---|
| “如何……”类任务 | 指南 — 按任务分类的分步说明 |
| 操作符或函数语法 | 操作符索引或函数索引,然后查看具体页面 |
| 集成设置(Splunk、Kafka、S3……) | 集成 — 各产品的设置步骤和管道示例 |
| 概念类(节点、管道、部署) | 概念解析 — 架构与设计说明 |
| 从零开始学习 | 教程 — 引导式课程 |
| TQL语言规则 | 语言规范、表达式、语句 |
回答前务必阅读相关页面。优先使用文档中的TQL示例,而非自行编写语法。
Answer patterns
回答模式
Operator syntax question — "How does work?"
→ Read where, explain the syntax, show the doc's TQL examples.
whereIntegration question — "How do I send data to Splunk?"
→ Read Splunk, provide the pipeline example from the page.
Task question — "How do I parse syslog?"
→ Read Parse delimited text and
read_syslog. Combine the guide's approach
with the operator reference.
操作符语法问题 — “如何工作?”
→ 阅读where,解释语法,展示文档中的TQL示例。
where集成问题 — “如何将数据发送到Splunk?”
→ 阅读Splunk,提供页面中的管道示例。
任务类问题 — “如何解析syslog?”
→ 阅读解析分隔文本和read_syslog。结合指南的方法与操作符参考内容。
Guides
指南
Practical step-by-step explanations to help you achieve a specific goal.
Start here when you're trying to get something done.
实用的分步说明,帮助你完成特定目标。当你需要实际操作时,从这里开始。
Get Started
入门
Quickstart
快速开始
Drowning in logs, alerts, and rigid tools? Meet Tenzir—your engine for taming security data. In just a few minutes, you’ll be ingesting, transforming, and enriching data on your terms, with full control. Here’s what you’ll accomplish:
被日志、警报和僵化的工具淹没?来试试Tenzir——你的安全数据治理引擎。只需几分钟,你就能按照自己的方式摄入、转换和增强数据,完全掌控全局。以下是你将完成的内容:
Installation
安装
This guide shows you how to install the Tenzir CLI to run pipelines locally or deploy a persistent node. The package includes two binaries:
本指南展示如何安装Tenzir CLI以在本地运行管道,或部署持久化节点。该包包含两个二进制文件:
Create account
创建账户
The Tenzir Platform is a web interface for managing pipelines and nodes. Create an account to get started:
Tenzir Platform是用于管理管道和节点的Web界面。创建账户即可开始使用:
Basic Usage
基础使用
Run pipelines
运行管道
You can run a pipeline via the platform, on the command line using the binary, or as code via the configuration file.
tenzir你可以通过平台、使用二进制文件的命令行,或通过配置文件以代码形式运行管道。
tenzirManage a pipeline
管理管道
This guide shows you how to control pipeline lifecycles through the app or API. A pipeline transitions through the following states:
本指南展示如何通过应用或API控制管道生命周期。管道会经历以下状态:
Setup
设置
Node Setup
节点设置
The Tenzir Node is the vehicle to run pipelines. It is light-weight server application that can be deployed on-premises or in the cloud.
Tenzir Node是运行管道的载体。它是轻量级服务器应用,可部署在本地或云端。
Provision a node
预配节点
Provisioning a node means creating one in the platform in your workspace. After provisioning, you can download configuration file with an authentication token—ready to then deploy the node.
预配节点指在平台的工作区中创建节点。预配完成后,你可以下载包含认证令牌的配置文件——即可部署节点。
Size a node
节点容量规划
This guide helps you determine the CPU, RAM, and storage resources needed for a Tenzir node. Use the calculator below to get concrete estimates based on your deployment scenario.
本指南帮助你确定Tenzir节点所需的CPU、内存和存储资源。使用下方的计算器,根据你的部署场景获取具体估算值。
Deploy a node
部署节点
Deploying a node means spinning it up in one of the supported runtimes. The primary choice is between a containerized with Docker or a native deployment with our static binary that runs on amd64 and arm64 architectures.
部署节点指在支持的运行环境中启动节点。主要选择是使用Docker的容器化部署,或使用我们的静态二进制文件进行原生部署(支持amd64和arm64架构)。
Configure a node
配置节点
The default node configuration is optimized for most common scenarios. But you can fine-tune the settings to match your specific requirements.
默认节点配置已针对大多数常见场景优化。但你可以微调设置以匹配特定需求。
Configure TLS
配置TLS
Tenzir supports Transport Layer Security (TLS) for encrypting network connections. You can configure TLS settings centrally in so they apply to all compatible operators, or override them per-operator as needed.
tenzir.yamlTenzir支持传输层安全(TLS)以加密网络连接。你可以在中集中配置TLS设置,使其应用于所有兼容的操作符,也可根据需要为单个操作符覆盖设置。
tenzir.yamlStart the API
启动API
The node offers a REST API for CRUD-style pipeline management. By default, the API is not accessible from the outside. Only the platform can access it internaly through the existing node-to-platform connection. To enable the API for direct access, you need to configure the built in web server that exposes the API.
节点提供用于CRUD式管道管理的REST API。默认情况下,API无法从外部访问,只有平台可通过现有的节点与平台连接进行内部访问。要启用直接访问API,你需要配置内置的Web服务器以暴露API。
Tune performance
性能调优
This guide covers configuration options that affect node performance. You’ll learn how to tune demand scheduling, memory usage, and throughput settings.
本指南涵盖影响节点性能的配置选项。你将学习如何调优需求调度、内存使用和吞吐量设置。
Platform Setup
平台设置
The Tenzir Platform acts as a fleet management control plane for Tenzir Nodes. Use its web interface to explore data, create pipelines, and build dashboards.
Tenzir Platform作为Tenzir Nodes的集群管理控制平面。使用其Web界面探索数据、创建管道和构建仪表板。
Deploy on AWS
在AWS上部署
This guide walks you through deploying the Tenzir Platform Sovereign Edition on AWS using CloudFormation. The template automates the setup of all required infrastructure components.
本指南引导你使用CloudFormation在AWS上部署Tenzir Platform Sovereign Edition。该模板会自动设置所有必需的基础设施组件。
Choose a scenario
选择部署场景
We provide several examples of possible platform deployment scenarios. Pick one that best suits your needs.
我们提供多种可能的平台部署场景示例。选择最适合你需求的场景。
Configure reverse proxy
配置反向代理
This guide shows you how to configure a reverse proxy for the Tenzir Platform. The proxy terminates TLS and routes traffic to these four entry points:
本指南展示如何为Tenzir Platform配置反向代理。代理终止TLS并将流量路由到以下四个入口点:
Configure internal services
配置内部服务
This guide shows you how to configure the three internal Tenzir services: the UI, Gateway, and Platform API. You’ll set environment variables that control authentication, connectivity, and feature settings.
本指南展示如何配置Tenzir的三个内部服务:UI、网关和Platform API。你将设置控制认证、连接和功能设置的环境变量。
Configure identity provider
配置身份提供商
The identity provider (IdP) handles authentication for the Tenzir Platform. When you click the Login button in the Tenzir UI, the system redirects you to your chosen identity provider, which creates a signed token that certifies your identity.
身份提供商(IdP)负责Tenzir Platform的认证。当你点击Tenzir UI中的登录按钮时,系统会将你重定向到所选的身份提供商,该提供商将创建一个签名令牌以验证你的身份。
Configure database
配置数据库
A PostgreSQL database stores the internal state of the platform.
PostgreSQL数据库存储平台的内部状态。
Configure blob storage
配置对象存储
The blob storage service exists for exchanging files between the platform and nodes. It facilitates not only downloading data from nodes, but also uploading files from your browser to the platform.
对象存储服务用于在平台和节点之间交换文件。它不仅支持从节点下载数据,还支持从浏览器向平台上传文件。
Configure secret store
配置密钥存储
The Tenzir Platform provides a secret store for each workspace. All Tenzir Nodes connected to the workspace can access its secrets. You can manage secrets using the CLI or the web interface. Alternatively, you can use an external secret store.
Tenzir Platform为每个工作区提供密钥存储。连接到工作区的所有Tenzir Nodes均可访问其密钥。你可以使用CLI或Web界面管理密钥。或者,你也可以使用外部密钥存储。
Run the platform
运行平台
This guide shows you how to start the Tenzir Platform using Docker Compose. Complete this step after configuring all services.
本指南展示如何使用Docker Compose启动Tenzir Platform。完成所有服务配置后执行此步骤。
Platform Management
平台管理
Configure workspaces
配置工作区
Workspaces in the platform logically group nodes, secrets, and dashboards.
平台中的工作区将节点、密钥和仪表板进行逻辑分组。
Configure dashboards
配置仪表板
You can pre-define dashboards for your static workspaces. This practice provides users with ready-to-use visualizations when they access the workspace.
你可以为静态工作区预定义仪表板。这样用户访问工作区时即可使用现成的可视化组件。
Use ephemeral nodes
使用临时节点
An ephemeral node is ideal for temporary or auto-scaling deployments. It is a temporary node that you do not have to provision manually first, and it disappears from the workspace when the connection to the platform ends.
临时节点非常适合临时或自动扩缩容部署。它是无需手动预配的临时节点,当与平台的连接断开时,会自动从工作区中消失。
AI Workbench
AI工作台
Build your own AI Workbench by bringing an AI agent and configuring it with Tenzir’s agent skills. Once set up, use it to write TQL pipelines, understand OCSF schemas, generate parsers, and create data mappings.
通过接入AI Agent并使用Tenzir的Agent技能进行配置,构建你自己的AI工作台。设置完成后,可使用它编写TQL管道、理解OCSF schema、生成解析器和创建数据映射。
Use agent skills
使用Agent技能
This guide shows you how to install and manage Tenzir’s agent skills. You’ll learn how to add skills globally or per project, install individual skills, and keep them up to date.
本指南展示如何安装和管理Tenzir的Agent技能。你将学习如何全局或按项目添加技能、安装单个技能并保持其更新。
Work with Data
数据处理
Collecting
数据收集
This guide provides an overview of data collection in TQL. You’ll learn about the different approaches for ingesting data from various sources.
本指南概述TQL中的数据收集方式。你将了解从各种来源摄入数据的不同方法。
Read and watch files
读取和监控文件
This guide shows you how to read files and monitor directories using the operator. You’ll learn to read individual files, batch process directories, and set up real-time file monitoring.
from_file本指南展示如何使用操作符读取文件和监控目录。你将学习读取单个文件、批量处理目录以及设置实时文件监控。
from_fileFetch via HTTP and APIs
通过HTTP和API获取数据
This guide shows you how to fetch data from HTTP APIs using the and operators. You’ll learn to make GET requests, handle authentication, and implement pagination for large result sets.
from_httphttp本指南展示如何使用和操作符从HTTP API获取数据。你将学习发送GET请求、处理认证以及为大型结果集实现分页。
from_httphttpRead from message brokers
从消息队列读取数据
This guide shows you how to receive events from message brokers using TQL. You’ll learn to subscribe to topics and queues from Apache Kafka (including Amazon MSK), AMQP-based brokers (like RabbitMQ), Amazon SQS, and Google Cloud Pub/Sub.
本指南展示如何使用TQL从消息队列接收事件。你将学习订阅Apache Kafka(包括Amazon MSK)、基于AMQP的队列(如RabbitMQ)、Amazon SQS和Google Cloud Pub/Sub的主题和队列。
Get data from the network
从网络获取数据
This guide shows you how to receive data directly from network sources using TQL. You’ll learn to listen on TCP and UDP sockets for incoming data and capture raw packets from network interfaces.
本指南展示如何使用TQL直接从网络源接收数据。你将学习监听TCP和UDP套接字以接收传入数据,以及从网络接口捕获原始数据包。
Parsing
解析
Parse delimited text
解析分隔文本
This guide shows you how to parse text streams into structured events. You’ll learn to split byte streams on newlines or custom delimiters, and parse line-based formats like JSON lines, CSV, TSV, key-value pairs, Syslog, and CEF.
本指南展示如何将文本流解析为结构化事件。你将学习按换行符或自定义分隔符拆分字节流,并解析基于行的格式,如JSON lines、CSV、TSV、键值对、Syslog和CEF。
Parse binary data
解析二进制数据
This guide shows you how to parse binary data formats into structured events. You’ll learn to work with columnar formats like Parquet and Feather, packet captures in PCAP format, Tenzir’s native Bitz format, and compressed data.
本指南展示如何将二进制数据格式解析为结构化事件。你将学习处理列式格式(如Parquet和Feather)、PCAP格式的数据包捕获、Tenzir原生的Bitz格式以及压缩数据。
Parse string fields
解析字符串字段
This guide shows you how to extract structured data from string fields using TQL’s parsing functions. You’ll learn to parse JSON, YAML, XML, key-value pairs, delimited data, timestamps, and log formats like Syslog, CEF, LEEF, and Windows Event Logs. For custom formats, Grok patterns provide flexible pattern matching.
本指南展示如何使用TQL的解析函数从字符串字段中提取结构化数据。你将学习解析JSON、YAML、XML、键值对、分隔数据、时间戳以及日志格式(如Syslog、CEF、LEEF和Windows事件日志)。对于自定义格式,Grok模式提供灵活的模式匹配功能。
Transformation
转换
Filter and select data
过滤和选择数据
Filtering and selecting are fundamental operations when working with data streams. This guide shows you how to filter events based on conditions and select specific fields from your data.
过滤和选择是处理数据流时的基本操作。本指南展示如何根据条件过滤事件,并从数据中选择特定字段。
Transform values
转换值
Transforming values is a fundamental part of data processing. This guide shows you how to convert between different data types, perform basic calculations, and manipulate simple values within your events.
转换值是数据处理的基本部分。本指南展示如何在事件中在不同数据类型之间转换、执行基本计算以及操作简单值。
Manipulate strings
字符串操作
String manipulation is essential for cleaning, formatting, and transforming text data. This guide covers TQL’s comprehensive string functions, from simple case changes to complex pattern matching and encoding operations.
字符串操作对于清理、格式化和转换文本数据至关重要。本指南涵盖TQL全面的字符串函数,从简单的大小写转换到复杂的模式匹配和编码操作。
Work with time
时间处理
Time is fundamental in data analysis. Whether you’re analyzing logs, tracking events, or monitoring systems, you need to parse timestamps, calculate durations, and format dates. This guide shows you how to work with time values in TQL.
时间是数据分析的基础。无论你是分析日志、跟踪事件还是监控系统,都需要解析时间戳、计算持续时间和格式化日期。本指南展示如何在TQL中处理时间值。
Shape lists
列表处理
Lists (arrays) contain ordered sequences of values. This guide shows you how to work with lists — accessing elements, sorting and slicing, transforming values, and combining data structures.
列表(数组)包含有序的值序列。本指南展示如何处理列表——访问元素、排序和切片、转换值以及组合数据结构。
Shape records
记录处理
Records (objects) contain key-value pairs. This guide shows you how to work with records — accessing fields, extracting keys, merging, and transforming values.
记录(对象)包含键值对。本指南展示如何处理记录——访问字段、提取键、合并和转换值。
Reshape complex data
复杂数据重塑
Real-world data is rarely flat. It contains nested structures, arrays of objects, and deeply hierarchical information. This guide shows advanced techniques for reshaping complex data structures to meet your analysis needs.
现实世界的数据很少是扁平的。它包含嵌套结构、对象数组和深度层次化信息。本指南展示重塑复杂数据结构以满足分析需求的高级技术。
Convert data formats
数据格式转换
Data comes in many formats. Converting between formats is essential for integration, export, and interoperability. This guide shows you how to transform data between JSON, CSV, YAML, and other common formats using TQL’s print functions.
数据有多种格式。格式转换对于集成、导出和互操作性至关重要。本指南展示如何使用TQL的打印函数在JSON、CSV、YAML和其他常见格式之间转换数据。
Normalization
标准化
This guide provides an overview of data normalization in TQL. Normalization transforms raw, inconsistent data into a clean, standardized format that’s ready for analysis, storage, and sharing.
本指南概述TQL中的数据标准化。标准化将原始、不一致的数据转换为干净、标准化的格式,以便进行分析、存储和共享。
Clean up values
清理值
This guide shows you how to clean and normalize values in your data before mapping to a schema. You’ll learn to handle null placeholders, normalize sentinel values, fix types, and provide defaults.
本指南展示如何在映射到schema之前清理和规范化数据中的值。你将学习如何处理空占位符、规范化标记值、修复类型以及提供默认值。
Map to OCSF
映射到OCSF
This guide shows you how to write OCSF mapping operators in TQL. You’ll learn to organize mappings by attribute groups, handle unmapped fields, and validate your output. The guide assumes you’ve already identified your target OCSF event class and profiles.
本指南展示如何在TQL中编写OCSF映射操作符。你将学习按属性组组织映射、处理未映射字段以及验证输出。本指南假设你已确定目标OCSF事件类和配置文件。
Map to other schemas
映射到其他schema
This guide provides brief guidance on mapping data to schemas other than OCSF. While OCSF is the recommended choice for security data, you may need to support Elastic Common Schema (ECS), Google UDM, or Microsoft ASIM for integration with specific platforms.
本指南简要介绍如何将数据映射到OCSF以外的schema。虽然OCSF是安全数据的推荐选择,但你可能需要支持Elastic Common Schema(ECS)、Google UDM或Microsoft ASIM以与特定平台集成。
Enrichment
数据增强
Work with lookup tables
使用查找表
A lookup table is a specific type of context in Tenzir’s enrichment framework. It has “two ends” in that you can use pipelines to update it, as well as pipelines to perform lookups and attach the results to events. Lookup tables live in a node and multiple pipelines can safely use the same lookup table. All update operations propagate to disk, persisting the changes and making them resilient against node restarts.
查找表是Tenzir数据增强框架中的一种特定类型的上下文。它具有“双向性”:你可以使用管道更新它,也可以使用管道执行查找并将结果附加到事件中。查找表存储在节点中,多个管道可以安全地使用同一个查找表。所有更新操作都会同步到磁盘,持久化更改并使其在节点重启后仍能保留。
Enrich with network inventory
使用网络资产清单增强数据
Tenzir’s enrichment framework features lookup tables that you can use to enrich data in your pipelines. Lookup tables have a unique property that makes them attractive for tracking information associated with CIDR subnets: when you use values as keys, you can probe the lookup table with values and will get a longest-prefix match.
subnetipTenzir的数据增强框架包含查找表,可用于在管道中增强数据。查找表有一个独特的属性,使其非常适合跟踪与CIDR子网相关的信息:当你使用值作为键时,可以使用值查询查找表,并获得最长前缀匹配的结果。
subnetipEnrich with threat intel
使用威胁情报增强数据
Tenzir has a powerful enrichment framework for real-time contextualization. The heart of the framework is a context—a stateful object that can be managed and used with pipelines.
Tenzir具有强大的实时上下文关联增强框架。该框架的核心是上下文——一种可通过管道管理和使用的有状态对象。
Execute Sigma rules
执行Sigma规则
Tenzir supports executing Sigma rules using the operator. This allows you to run your Sigma rules in the pipeline. The operator transpiles the provided rules into an expression, and wraps matching events into a sighting record along with the matched rule.
sigmaTenzir支持使用操作符执行Sigma规则。这允许你在管道中运行Sigma规则。该操作符会将提供的规则转换为表达式,并将匹配的事件包装为包含匹配规则的检测记录。
sigmaOptimization
优化
Slice and sample data
数据切片和采样
When working with data streams, you often need to control which events flow through your pipeline. This guide shows you how to slice event streams, sample data, and control event ordering using TQL operators.
处理数据流时,你通常需要控制哪些事件流经管道。本指南展示如何使用TQL操作符对事件流进行切片、数据采样以及控制事件顺序。
Deduplicate events
事件去重
The operator provides a powerful mechanism to remove duplicate events in a pipeline.
deduplicatededuplicateRouting
路由
Send to destinations
发送到目标端
This guide shows you how to send data to various destinations using TQL output operators. You’ll learn about destination operators, file output patterns, and expression-based serialization.
本指南展示如何使用TQL输出操作符将数据发送到各种目标端。你将了解目标端操作符、文件输出模式以及基于表达式的序列化。
Split and merge streams
拆分和合并流
This guide shows you how to connect pipelines using and operators. You’ll learn to split event streams for parallel processing and merge multiple sources into a single pipeline.
publishsubscribe本指南展示如何使用和操作符连接管道。你将学习拆分事件流以进行并行处理,以及将多个源合并到单个管道中。
publishsubscribeLoad-balance pipelines
管道负载均衡
This guide shows you how to distribute events across multiple destinations using the operator. You’ll learn to route events to multiple endpoints for high availability and throughput.
load_balance本指南展示如何使用操作符将事件分发到多个目标端。你将学习将事件路由到多个端点以实现高可用性和高吞吐量。
load_balanceAnalytics
分析
Aggregate and summarize data
聚合和汇总数据
Aggregation transforms streams of events into meaningful summaries. Whether you’re calculating statistics, counting occurrences, or finding extremes, the operator combined with aggregation functions provides powerful data analysis capabilities.
summarize聚合将事件流转换为有意义的汇总信息。无论你是计算统计数据、计数出现次数还是查找极值,操作符结合聚合函数都能提供强大的数据分析能力。
summarizeCollect metrics
收集指标
Tenzir keeps track of metrics about node resource usage, pipeline state, and runtime performance.
Tenzir会跟踪节点资源使用、管道状态和运行时性能的指标。
Edge Storage
边缘存储
Import into a node
导入到节点
Importing (or ingesting) data can be done by running a pipeline that ends with the output operator. When managing a pipeline through the app or the API, all pipeline operators run within the node. When using the CLI, at least the operator runs within the node.
importimport导入(或摄入)数据可以通过运行以输出操作符结尾的管道来完成。当通过应用或API管理管道时,所有管道操作符都在节点内运行。当使用CLI时,至少操作符在节点内运行。
importimportExport from a node
从节点导出
Exporting (or querying) data can be done by running a pipeline that begins with the input operator. When managing a pipeline through the app or the API, all pipeline operators run within the node. When using the CLI, at least the operator runs within the node.
exportexport导出(或查询)数据可以通过运行以输入操作符开头的管道来完成。当通过应用或API管理管道时,所有管道操作符都在节点内运行。当使用CLI时,至少操作符在节点内运行。
exportexportShow available schemas
查看可用schema
When you write a pipeline, you often reference field names. If you do not know the shape of your data, you can look up available schemas, i.e., the record types describing top-level events.
编写管道时,你经常会引用字段名。如果你不知道数据的结构,可以查看可用的schema,即描述顶级事件的记录类型。
Transform data at rest
转换静态数据
This guide shows you how to transform data already stored in a node. You’ll learn to apply compaction, manage storage quotas, and run retroactive pipelines.
本指南展示如何转换已存储在节点中的数据。你将学习如何应用压缩、管理存储配额以及运行回溯管道。
Build
构建
Packages
包
Install a package
安装包
Packages provide a flexible approach for combining operators, pipelines, contexts, and examples into a unified deployable unit.
包提供了一种灵活的方式,将操作符、管道、上下文和示例组合成一个统一的可部署单元。
Create a package
创建包
This guide shows you how to create a package from scratch. You’ll learn how to set up the directory structure, write the manifest, and add runnable examples.
本指南展示如何从头开始创建包。你将学习如何设置目录结构、编写清单以及添加可运行的示例。
Test packages
测试包
This guide shows you how to add tests to your package. You’ll learn how to write test files, use inline inputs, and run the test harness.
本指南展示如何为包添加测试。你将学习如何编写测试文件、使用内联输入以及运行测试工具。
Add operators
添加操作符
This guide shows you how to create user-defined operators (UDOs) for your package. You’ll learn how to define operators with positional and named arguments, and how to test them with the Test Framework.
本指南展示如何为包创建用户自定义操作符(UDO)。你将学习如何定义带有位置参数和命名参数的操作符,以及如何使用测试框架测试它们。
Add pipelines
添加管道
This guide shows you how to add deployable pipelines to your package. You’ll learn about pipeline frontmatter options and when to use pipelines versus operators.
本指南展示如何向包中添加可部署的管道。你将了解管道前置元数据选项,以及何时使用管道而非操作符。
Add contexts
添加上下文
This guide shows you how to add enrichment contexts to your package. You’ll learn how to define contexts in the manifest, populate them with data, and test context interactions.
本指南展示如何向包中添加数据增强上下文。你将学习如何在清单中定义上下文、使用数据填充上下文以及测试上下文交互。
Configure inputs
配置输入
This guide shows you how to make packages configurable with inputs. You’ll learn how to define input variables, use templating syntax, and provide values during installation.
本指南展示如何使包可配置输入。你将学习如何定义输入变量、使用模板语法以及在安装期间提供值。
Maintain a changelog
维护变更日志
This guide shows you how to manage changelog entries and publish releases with . You’ll learn the complete workflow from adding your first entry to publishing a release on GitHub.
tenzir-ship本指南展示如何管理变更日志条目,并使用发布版本。你将学习从添加第一个条目到在GitHub上发布版本的完整工作流程。
tenzir-shipPublish a package
发布包
This guide shows you how to publish your package. You’ll learn how to contribute to the Tenzir Community Library and how to set up your own package repository with automated testing.
本指南展示如何发布你的包。你将学习如何贡献到Tenzir社区库,以及如何设置自己的包仓库并实现自动化测试。
Testing
测试
Run tests
运行测试
This guide shows you how to run existing integration tests with the framework. You’ll learn how to execute the test suite, control output verbosity, select specific tests, handle flaky scenarios, and run multi-project setups.
tenzir-test本指南展示如何使用框架运行现有的集成测试。你将学习如何执行测试套件、控制输出详细程度、选择特定测试、处理不稳定场景以及运行多项目设置。
tenzir-testWrite tests
编写测试
This guide shows you how to create integration tests with the framework. You’ll set up a standalone repository, write test scenarios, and record reference output to verify your pipelines work as expected. If you already have tests and want to run them, see the run tests guide.
tenzir-test本指南展示如何使用框架创建集成测试。你将设置一个独立的仓库、编写测试场景,并记录参考输出以验证管道是否按预期工作。如果你已有测试并想要运行它们,请查看运行测试指南。
tenzir-testRun fixtures
运行测试夹具
This guide shows you how to start fixtures in standalone mode without running tests. You’ll learn how to use the CLI option to bring up managed services, inspect their environment variables, and tear them down cleanly.
--fixture本指南展示如何在独立模式下启动测试夹具而不运行测试。你将学习如何使用CLI选项启动托管服务、检查其环境变量并干净地关闭它们。
--fixtureCreate fixtures
创建测试夹具
This guide shows you how to create a fixture, wire it into the test harness, and use it from a test. You will build an HTTP echo server as a running example and then learn how to share fixtures across suites, handle missing dependencies, manage containers, add structured options, and validate test behavior with fixture assertions.
本指南展示如何创建测试夹具、将其连接到测试工具,并在测试中使用它。你将构建一个HTTP回显服务器作为示例,然后学习如何在套件之间共享夹具、处理缺失的依赖项、管理容器、添加结构化选项以及使用夹具断言验证测试行为。
Add custom runners
添加自定义运行器
Runners tell how to execute a discovered file. This guide shows you how to register the XXD runner from the example project so you can compare binary artifacts by dumping their hexadecimal representation with .
tenzir-testxxd运行器告诉如何执行发现的文件。本指南展示如何注册示例项目中的XXD运行器,以便使用转储二进制工件的十六进制表示来比较它们。
tenzir-testxxdContribute
贡献
Contribution
贡献指南
Code of Conduct
行为准则
Git and GitHub Workflow
Git和GitHub工作流
The following diagram visualizes our branching model:
以下图表可视化了我们的分支模型:
Documentation
文档
The source code of the Tenzir documentation is at https://github.com/tenzir/docs. We use Astro with Starlight as our site framework.
Tenzir文档的源代码位于https://github.com/tenzir/docs。我们使用Astro和Starlight作为站点框架。
Security Policy
安全政策
Security is a serious matter for us. We want to ensure and maintain a secure environment for our customers and the open-source community.
安全对我们来说是重中之重。我们希望为客户和开源社区确保并维护一个安全的环境。
Development
开发
Setup syntax highlighting
设置语法高亮
This guide shows you how to set up TQL syntax highlighting in your editor. You’ll get proper colorization, language detection, and basic language support for files.
.tql本指南展示如何在编辑器中设置TQL语法高亮。你将获得文件的正确着色、语言检测和基本语言支持。
.tqlBuild from source
从源代码构建
Tenzir uses CMake as build system with a C++23 compiler.
Tenzir使用CMake作为构建系统,需要C++23编译器。
Write a node plugin
编写节点插件
This guide shows you how to extend Tenzir with custom operators, formats, or connectors by writing a C++ plugin. The implementation requires the following steps:
本指南展示如何通过编写C++插件扩展Tenzir,添加自定义操作符、格式或连接器。实现需要以下步骤:
Tutorials
教程
Learning-oriented lessons that take you through a series of steps.
Start here when you want to get started with Tenzir.
以学习为导向的课程,引导你完成一系列步骤。当你想要开始使用Tenzir时,从这里开始。
Fundamentals
基础
Learn idiomatic TQL
学习地道的TQL写法
This tutorial teaches you to write TQL that is clear, efficient, and maintainable. It assumes you already know basic TQL syntax and operators, and shows you how experienced TQL developers approach common patterns.
本教程教你编写清晰、高效且可维护的TQL代码。它假设你已经了解基本的TQL语法和操作符,并展示有经验的TQL开发者如何处理常见模式。
Write a package
编写包
This tutorial teaches you how packages bundle pipelines, operators, contexts, and examples. You’ll build a package for an SSL blacklist that detects malicious certificates. You can then install packages from the Tenzir Library or deploy them as code.
本教程教你包如何将管道、操作符、上下文和示例捆绑在一起。你将构建一个用于检测恶意证书的SSL黑名单包。然后你可以从Tenzir库安装包,或将其作为代码部署。
Map data to OCSF
将数据映射到OCSF
In this tutorial you’ll learn how to map events to Open Cybersecurity Schema Framework (OCSF). We walk you through an example of events from a network monitor and show how you can use Tenzir pipelines to transform them into OCSF-compliant events.
在本教程中,你将学习如何将事件映射到开放网络安全schema框架(OCSF)。我们将带你完成一个网络监控事件的示例,并展示如何使用Tenzir管道将其转换为符合OCSF标准的事件。
Analytics
分析
Plot data with charts
使用图表绘制数据
In this tutorial, you will learn how to use pipelines to plot data as charts.
在本教程中,你将学习如何使用管道将数据绘制成图表。
Explanations
概念解析
Big-picture explanations of higher-level concepts.
Start here to build understanding of a particular topic.
对高级概念的宏观解释。当你想要深入理解某个主题时,从这里开始。
Architecture
架构
Deployment
部署架构
This page explains Tenzir’s deployment architecture, which separates data processing from management through a layered design. Three primary abstractions work together:
本页解释Tenzir的部署架构,它通过分层设计将数据处理与管理分离。三个主要抽象协同工作:
Pipeline
管道
A Tenzir pipeline is a chain of operators that represents a dataflow. Operators are the atomic building blocks that produce, transform, or consume data. Think of them as Unix or Powershell commands where the result from one command is feeding into the next:
Tenzir管道是代表数据流的操作符链。操作符是生成、转换或消耗数据的原子构建块。可以将它们视为Unix或Powershell命令,其中一个命令的结果会输入到下一个命令中:
Node
节点
A node is a running process that manages and executes pipelines.
节点是管理和执行管道的运行进程。
Platform
平台
The platform provides fleet management for nodes. With an API and web interface, the platform offers user and workspace administration, authentication via external identity providers (IdP), and dashboards consisting of pipeline-powered charts.
平台为节点提供集群管理。通过API和Web界面,平台提供用户和工作区管理、通过外部身份提供商(IdP)的认证,以及由管道驱动的图表组成的仪表板。
Language
语言
The Tenzir Query Language (TQL) is a dataflow language designed for processing of unstructured byte-streams and semi-structured events.
Tenzir查询语言(TQL)是一种数据流语言,专为处理非结构化字节流和半结构化事件而设计。
Concepts
概念
Configuration
配置
This page explains how to configure the Tenzir CLI and Node. Configuration flows through four layers, sorted by precedence:
本页解释如何配置Tenzir CLI和Node。配置通过四个层传递,按优先级排序:
Secrets
密钥
Operators accept secrets as parameters for sensitive values, such as authentication tokens, passwords, or even URLs.
操作符接受密钥作为敏感值的参数,如认证令牌、密码甚至URL。
Enrichment
数据增强
Enrichment means adding contextual data to events. The purpose of this added context is to allow for making better decisions, e.g., to triage alerts and weed out false positive, to leverage country information to classify logins as malicious, or to flag a sighting of an indicator of compromise.
数据增强指为事件添加上下文数据。添加这些上下文的目的是为了做出更好的决策,例如分类警报并排除误报、利用国家信息将登录分类为恶意,或标记威胁指标的出现。
Packages
包
This page explains how packages bundle pipelines, operators, contexts, and examples into a deployable unit. You’ll learn about package design principles and how the components fit together.
本页解释包如何将管道、操作符、上下文和示例捆绑成一个可部署单元。你将了解包的设计原则以及组件如何协同工作。
Help
帮助
Glossary
术语表
This page defines central terms in the Tenzir ecosystem.
本页定义Tenzir生态系统中的核心术语。
FAQs
常见问题
This page answers frequently asked questions about Tenzir.
本页回答关于Tenzir的常见问题。
Reference
参考
Nitty-gritty technical descriptions of how Tenzir works.
Start here when you need detailed information about building blocks.
关于Tenzir工作原理的详细技术说明。当你需要构建块的详细信息时,从这里开始。
Language (TQL)
语言(TQL)
Type System
类型系统
This page explains TQL’s type system, which provides strong typing with automatic inference. You get type safety without requiring explicit declarations. Key characteristics include:
本页解释TQL的类型系统,它提供强类型和自动推断。你无需显式声明即可获得类型安全。主要特点包括:
Expressions
表达式
Expressions form the computational core of TQL. They range from simple literals to complex evaluations.
表达式构成了TQL的计算核心。它们从简单的字面量到复杂的计算不等。
Statements
语句
TQL programs are a sequence of statements. Operator statements perform various actions on data streams. Each operator statement can be thought of as a modular unit that processes data and can be combined with other operators to create complex dataflows.
TQL程序是一系列语句。操作符语句对数据流执行各种操作。每个操作符语句都可以视为一个模块化单元,处理数据并可与其他操作符组合以创建复杂的数据流。
Programs
程序
TQL programs compose statements into complete data processing workflows that can execute. Valid TQL programs adhere to the following rules:
TQL程序将语句组合成可执行的完整数据处理工作流。有效的TQL程序遵循以下规则:
Operators
操作符
Tenzir comes with a wide range of built-in pipeline operators.
Tenzir附带了广泛的内置管道操作符。
Functions
函数
Functions appear in expressions and take positional and/or named arguments, producing a value as a result of their computation.
函数出现在表达式中,接受位置参数和/或命名参数,其计算结果产生一个值。
Tools
工具
Test Framework
测试框架
The harness discovers and runs integration tests for pipelines, fixtures, and custom runners. Use this page as a reference for concepts, configuration, and CLI details. For step-by-step walkthroughs, see the guides for running tests, writing tests, creating fixtures, and adding custom runners.
tenzir-testtenzir-testShip Framework
发布框架
tenzir-shiptenzir-shipNode Index
节点索引
- Node Configuration
- 节点配置
Platform Index
平台索引
- Platform command line interface
- Platform Configuration
- 平台命令行界面
- 平台配置
Indexes
索引
For the complete operator listing by category, read Operator Index.
For the complete function listing by category, read Function Index.
按类别列出的完整操作符,请阅读操作符索引。
按类别列出的完整函数,请阅读函数索引。
Integrations
集成
Turn-key packages and native connectors for security tools.
Start here to connect Tenzir with Splunk, Elastic, CrowdStrike, etc.
面向安全工具的开箱即用包和原生连接器。当你需要将Tenzir与Splunk、Elastic、CrowdStrike等工具连接时,从这里开始。
Cloud Providers
云提供商
Amazon
亚马逊
Tenzir integrates with the services from Amazon Web Services (AWS) listed below.
Tenzir与以下亚马逊网络服务(AWS)的服务集成。
MSK
MSK
Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a managed Kafka service on AWS. It handles infrastructure and operations, making it easier to run Kafka applications and Kafka Connect connectors without becoming a Kafka expert.
亚马逊托管Apache Kafka(Amazon MSK)是AWS上的托管Kafka服务。它处理基础设施和运维,使你无需成为Kafka专家即可运行Kafka应用和Kafka Connect连接器。
S3
S3
Amazon Simple Storage Service (S3) is an object storage service. Tenzir can treat it like a local filesystem to read and write files.
亚马逊简单存储服务(S3)是一种对象存储服务。Tenzir可以将其视为本地文件系统来读取和写入文件。
Security Lake
安全数据湖
Amazon Security Lake is a managed security data lake on AWS. It collects and stores security data in the Open Cybersecurity Schema Framework (OCSF) format.
亚马逊安全数据湖是AWS上的托管安全数据湖。它以开放网络安全schema框架(OCSF)格式收集和存储安全数据。
SQS
SQS
Amazon Simple Queuing Service (SQS) is a managed message queue on AWS. It supports microservices, distributed systems, and serverless applications.
亚马逊简单队列服务(SQS)是AWS上的托管消息队列服务。它支持微服务、分布式系统和无服务器应用。
谷歌
Cloud Logging
Cloud Logging
Google Cloud Logging is Google’s log management solution. Tenzir can send events to Google Cloud Logging.
Google Cloud Logging是谷歌的日志管理解决方案。Tenzir可以将事件发送到Google Cloud Logging。
Cloud Storage
Cloud Storage
Cloud Storage is Google’s object storage service. Tenzir can treat it like a local filesystem to read and write files.
Cloud Storage是谷歌的对象存储服务。Tenzir可以将其视为本地文件系统来读取和写入文件。
Cloud Pub/Sub
Cloud Pub/Sub
Google Cloud Pub/Sub ingests events for streaming into BigQuery, data lakes, or operational databases. Tenzir can act as a publisher that sends messages to a topic, and as a subscriber that receives messages from a subscription.
Google Cloud Pub/Sub将事件摄入以流式传输到BigQuery、数据湖或操作数据库。Tenzir可以作为发布者向主题发送消息,也可以作为订阅者从订阅接收消息。
SecOps
SecOps
Google Security Operations (SecOps) is Google’s security operations platform. Tenzir can send events to Google SecOps using the unstructured logs ingestion API.
Google Security Operations(SecOps)是谷歌的安全运营平台。Tenzir可以使用非结构化日志摄入API将事件发送到Google SecOps。
Microsoft
微软
Azure Blob Storage
Azure Blob Storage
Azure Blob Storage is Azure’s object storage service. Tenzir can treat it like a local filesystem to read and write files.
Azure Blob Storage是Azure的对象存储服务。Tenzir可以将其视为本地文件系统来读取和写入文件。
Azure Event Hubs
Azure Event Hubs
Azure Event Hubs is a real-time event ingestion service. It can receive and process millions of events per second, and it provides a Kafka endpoint for streaming data from Microsoft services to Tenzir.
Azure Event Hubs是一种实时事件摄入服务。它每秒可以接收和处理数百万个事件,并提供Kafka端点以将Microsoft服务的数据流传输到Tenzir。
Defender
Defender
Microsoft Defender offers protection, detection, investigation, and response to threats. Defender comes in multiple editions, Defender for Office 365, Defender for Endpoint, Defender for IoT, Defender for Identity, and Defender for Cloud. All Defender products can stream events in real time to Tenzir using Azure Event Hubs.
Microsoft Defender提供威胁防护、检测、调查和响应。Defender有多个版本:Defender for Office 365、Defender for Endpoint、Defender for IoT、Defender for Identity和Defender for Cloud。所有Defender产品都可以使用Azure Event Hubs将事件实时流式传输到Tenzir。
Sentinel & Log Analytics
Sentinel与Log Analytics
Send security logs and events from Tenzir to Microsoft’s Log Analytics platform. You can analyze them with Microsoft Sentinel, create alerts with Azure Monitor, or query them with KQL.
将安全日志和事件从Tenzir发送到Microsoft的Log Analytics平台。你可以使用Microsoft Sentinel分析它们、使用Azure Monitor创建警报,或使用KQL查询它们。
Windows Event Logs
Windows事件日志
Windows Event Logs record system, security, and application events on Windows. You can collect them into Tenzir for monitoring, troubleshooting, and analysis.
Windows事件日志记录Windows上的系统、安全和应用事件。你可以将它们收集到Tenzir中进行监控、故障排除和分析。
Messaging
消息队列
AMQP
AMQP
The Advanced Message Queuing Protocol (AMQP) is an open standard for message-oriented middleware. It defines how producers, exchanges, queues, and consumers route messages between systems.
高级消息队列协议(AMQP)是面向消息的中间件的开放标准。它定义了生产者、交换器、队列和消费者如何在系统之间路由消息。
Fluent Bit
Fluent Bit
Fluent Bit is a an open source observability pipeline. Tenzir embeds Fluent Bit, exposing all its inputs via and outputs via
from_fluent_bitto_fluent_bitFluent Bit是一个开源可观测性管道。Tenzir嵌入了Fluent Bit,通过暴露其所有输入,通过暴露其所有输出。
from_fluent_bitto_fluent_bitKafka
Kafka
Apache Kafka is a distributed open-source message broker. The Tenzir integration can publish (send messages to a topic) or subscribe (receive) messages from a topic.
Apache Kafka是一个分布式开源消息队列。Tenzir集成可以发布(向主题发送消息)或订阅(从主题接收)消息。
ZeroMQ
ZeroMQ
ZeroMQ (0mq) is a light-weight messaging framework with various socket types. Tenzir supports writing to PUB sockets and reading from SUB sockets, both in server (listening) and client (connect) mode.
ZeroMQ(0mq)是一个轻量级消息框架,具有多种套接字类型。Tenzir支持写入PUB套接字和读取SUB套接字,包括服务器(监听)和客户端(连接)模式。
Protocols
协议
邮件
Tenzir supports sending events as email using the operator. To this end, the operator establishes a connection with an SMTP server that sends the message on behalf of Tenzir.
save_emailTenzir支持使用操作符将事件作为邮件发送。为此,该操作符会与SMTP服务器建立连接,代表Tenzir发送消息。
save_emailFile
文件
Tenzir can read from and write to files. This includes non-regular files such as Unix domain sockets, standard input, standard output, and standard error.
Tenzir可以读取和写入文件。这包括非普通文件,如Unix域套接字、标准输入、标准输出和标准错误。
FTP
FTP
Tenzir supports the File Transfer Protocol (FTP), both downloading and uploading files.
Tenzir支持文件传输协议(FTP),包括下载和上传文件。
HTTP
HTTP
Tenzir supports HTTP and HTTPS, both as sender and receiver.
Tenzir支持HTTP和HTTPS,包括作为发送方和接收方。
Network Interface
网络接口
Tenzir supports reading packets from a network interface card (NIC).
Tenzir支持从网络接口卡(NIC)读取数据包。
Syslog
Syslog
Tenzir supports parsing and emitting Syslog messages across multiple transport protocols, including both UDP and TCP. This enables seamless integration with Syslog-based systems for ingesting or exporting logs.
Tenzir支持跨多种传输协议解析和生成Syslog消息,包括UDP和TCP。这使你能够与基于Syslog的系统无缝集成,以摄入或导出日志。
TCP
TCP
The Transmission Control Protocol (TCP) provides a bidirectional byte stream over IP. Tenzir supports reading from and writing to TCP sockets in both server (listening) and client (connect) mode.
传输控制协议(TCP)通过IP提供双向字节流。Tenzir支持读取和写入TCP套接字,包括服务器(监听)和客户端(连接)模式。
UDP
UDP
The User Datagram Protocol (UDP) is a connection-less protocol to send messages on an IP network. Tenzir supports writing to and reading from UDP sockets, both in server (listening) and client (connect) mode.
用户数据报协议(UDP)是一种无连接协议,用于在IP网络上发送消息。Tenzir支持写入和读取UDP套接字,包括服务器(监听)和客户端(连接)模式。
Data Tools
数据工具
ClickHouse
ClickHouse
ClickHouse is an open-source analytical database. It lets you run real-time analytics with SQL queries.
ClickHouse是一个开源分析型数据库。它允许你使用SQL查询进行实时分析。
Elasticsearch
Elasticsearch
Elasticsearch is a search and observability suite for unstructured data. Tenzir can send events to Elasticsearch and emulate and Elasticsearch Bulk API endpoint.
Elasticsearch是用于非结构化数据的搜索和可观测性套件。Tenzir可以将事件发送到Elasticsearch,并模拟Elasticsearch Bulk API端点。
Graylog
Graylog
Graylog is a log management solution based on top of OpenSearch. Tenzir can send data to and receive data from Graylog.1
Graylog是基于OpenSearch的日志管理解决方案。Tenzir可以向Graylog发送数据并从Graylog接收数据。
OpenSearch
OpenSearch
OpenSearch is a search and observability suite for unstructured data. Tenzir can send events to OpenSearch and emulate and OpenSearch Bulk API endpoint.
OpenSearch是用于非结构化数据的搜索和可观测性套件。Tenzir可以将事件发送到OpenSearch,并模拟OpenSearch Bulk API端点。
Snowflake
Snowflake
Snowflake is a multi-cloud data warehouse. Tenzir can send events from a pipeline to Snowflake databases.
Snowflake是一个多云数据仓库。Tenzir可以将事件从管道发送到Snowflake数据库。
Splunk
Splunk
Splunk is a SIEM solution for storing and processing logs. Tenzir can send data to Splunk via HEC.
Splunk是用于存储和处理日志的SIEM解决方案。Tenzir可以通过HEC将数据发送到Splunk。
Security Tools
安全工具
SentinelOne Data Lake
SentinelOne数据湖
SentinelOne is a cybersecurity platform that provides endpoint protection and threat detection. The SentinelOne Singularity Data Lake allows you to store and analyze security events at scale. Tenzir provides bidirectional integration with the SentinelOne Data Lake via its REST API.
SentinelOne是一个提供端点保护和威胁检测的网络安全平台。SentinelOne Singularity Data Lake允许你大规模存储和分析安全事件。Tenzir通过其REST API与SentinelOne Data Lake提供双向集成。
Suricata
Suricata
Suricata is network monitor with a rule matching engine to detect threats. Use Tenzir to acquire, process, and store Suricata logs.
Suricata是一个带有规则匹配引擎的网络监控工具,用于检测威胁。使用Tenzir获取、处理和存储Suricata日志。
Velociraptor
Velociraptor
Velociraptor is a digital forensics and incident response (DFIR) tool for interrogating endpoints.
Velociraptor是一个用于端点调查的数字取证和事件响应(DFIR)工具。
Zeek
Zeek
The Zeek network monitor translates raw packets into structured logs. Tenzir supports various Zeek use cases, such as continuous ingestion, ad-hoc log file processing, and even generating Zeek logs.
Zeek网络监控工具将原始数据包转换为结构化日志。Tenzir支持各种Zeek用例,如持续摄入、临时日志文件处理,甚至生成Zeek日志。
Zscaler
Zscaler
Zscaler’s Nanolog Streaming Service (NSS) streams Zscaler logs to external systems. You can use Zscaler’s Cloud NSS or deploy an on-prem NSS server, and Tenzir can receive logs in either case.
Zscaler的Nanolog Streaming Service(NSS)将Zscaler日志流式传输到外部系统。你可以使用Zscaler的Cloud NSS或部署本地NSS服务器,Tenzir在两种情况下都可以接收日志。