feat(vrl): add parse_dnstap function

[esensar]

Summary

This adds parse_dnstap function, which should produce the exact same output as the dnstap source. While it is possible to parse dnstap data manually using parse_proto, this ensures that the exact same format is used. This makes it possible to delay dnstap parsing using dnstap source, by making it produce raw data and then conditionally parsing it in transforms further down the line. It also makes it possible to parse dnstap data from other sources.

More context: #21985 (comment)

Change Type

• Bug fix
• New feature
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

How did you test this PR?

I have built vector in a container and ran it alongside coredns. I have connected them using dnstap source in tcp mode and made the source produce only raw data. I have used the following vector config:

sources:
  dnstap_tcp:
    type: "dnstap"
    mode: "tcp"
    address: "0.0.0.0:59001"
    raw_data_only: true

transforms:
  dnstap_thingy:
    type: "remap"
    inputs: ["dnstap_tcp"]
    source: |
      . = parse_dnstap!(.rawData)
      .

sinks:
  console:
    inputs: ["dnstap_tcp", "dnstap_thingy"]
    target: "stdout"
    type: "console"
    encoding:
      codec: "json"

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the "no-changelog" label to this PR.

Checklist

• Please read our Vector contributor resources.
• If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
  run dd-rust-license-tool write to regenerate the license inventory and commit the changes (if any). More details here.

[esensar]

I didn't add benchmarks for this, since I can see that there are dnstap benchmarks for the parse function and this really just forwards the data to it.

[pront]

Thanks, this looks much better now.

[pront]

https://github.com/vectordotdev/vector/actions/runs/12293554193/job/34323760812?pr=21985

I think we need to update buf.yaml to include the new proto location.

[esensar]

Updated. I just needed to add the new location, right?

[pront]

Updated. I just needed to add the new location, right?

Thanks, I think so yes. Let's see if the check passes now.

[esensar]

I am not sure how to handle this new error now. It seems like this is now reporting an issue because this is treated like 4 different modules instead of 3 that were available previously? Not sure in which ways rest of the proto files are used, but is this a false positive?

[pront]

Hmm, see bufbuild/buf#567.
You can try locally with:

buf breaking --against  "https://github.com/vectordotdev/vector.git#branch=master" --debug

Also, https://github.com/vectordotdev/vector/blob/master/.github/workflows/protobuf.yml#L5-L7 is missing two paths.

[pront]

The check is failing due to the move proto/third-party/dnstap.proto → lib/dnstap-parser/proto/dnstap.proto.

This is the relevant rule: https://buf.build/docs/breaking/rules/#file_no_delete

If you cannot figure out a workaround, I am not opposed to reverting the move.

[esensar]

The check is failing due to the move proto/third-party/dnstap.proto → lib/dnstap-parser/proto/dnstap.proto.

This is the relevant rule: https://buf.build/docs/breaking/rules/#file_no_delete

If you cannot figure out a workaround, I am not opposed to reverting the move.

Moving parser back into main module would make the function inaccessible in vector-vrl/web-playground and vector-vrl/tests. I am not sure if this exact issue should be treated as a breaking change, but then again, I am not sure in which ways the protobuf modules are used, so I can't tell if it is okay.

Would it make more sense to have the protobuf workflow only track vector proto files? Or is it important to track these third-party ones too?

[esensar]

I have ignored the dnstap.proto file in the checker. Let me know if this makes sense to you.

Also, https://github.com/vectordotdev/vector/blob/master/.github/workflows/protobuf.yml#L5-L7 is missing two paths.

I think it is just missing the new one, since it has both proto/vector and proto/third-party covered with proto/**, but if ignoring the new one is okay, then we don't need to add it there.

[pront]

I am thinking that ignoring third-party protos is the wrong thing to do but also this is not a breaking change for Vector users. It is just a file move, contents are identical. We could remove the ignore and merge this despite the buf check failing.

Note: Starting today, I will be traveling for a couple of weeks. So apologies for delays in reviewing.

[esensar]

I am thinking that ignoring third-party protos is the wrong thing to do but also this is not a breaking change for Vector users. It is just a file move, contents are identical. We could remove the ignore and merge this despite the buf check failing.

Note: Starting today, I will be traveling for a couple of weeks. So apologies for delays in reviewing.

Alright, thanks for the heads up. Do you want me to revert the last change then?

[pront]

Alright, thanks for the heads up. Do you want me to revert the last change then?

Yes, we can just revert the changes to buf.yaml.

[johnhtodd]

For historical purposes I'll put a bit more discussion here: This function allows larger-scale ingestion of dnstap messages, because the "sample" and "throttle" functions can now be used before the dnstap parsing happens. This is important because the dnstap parsing is actually quite heavy, and with hundreds of thousands of events per second, a single Vector node can be easily overwhelmed before the event even passes into a place where functions can be applied. By ingesting the message as protobuf (and not as "dnstap") it is possible to apply sample and throttle functions to the raw, unprocessed data and then selectively expanding the messages into full dnstap events after a smaller set has been filtered. This permits higher-throughput downsampling of events, though of course there is no method to examine what events are chosen and what are discarded until after the sampling is done. If there are critical events that need to be processed at 100%, our suggested model would be to send those from the origin system with a different port number and ingest them as dnstap (as a source) instead of as protobuf, and treat that flow of data entirely differently than others which may be downsampled or throttled.

[jszwedko]

It looks like the protobuf compatibility tests are still failing here:

Failure: input contained 4 images, whereas against contained 3 images

[pront]

It looks like the protobuf compatibility tests are still failing here:

Failure: input contained 4 images, whereas against contained 3 images

Yes, due to the move as explained here: #21985 (comment).

Based on the discussions here, I think we can force merge this if all other checks are OK.

[jszwedko]

It looks like the protobuf compatibility tests are still failing here:

Failure: input contained 4 images, whereas against contained 3 images

Yes, due to the move as explained here: #21985 (comment).

Based on the discussions here, I think we can force merge this if all other checks are OK.

Aha, I missed that discussion. 👍