Skip to content

Telemetry

Edge appliances continuously collect metrics, logs, and security events from the monitored network. This data is batched and uploaded to the Ingestor service at regular intervals.

Upload flow

Section titled “Upload flow”
sequenceDiagram
    participant Edge as Edge Appliance
    participant Ingestor as Ingestor Service
    participant SQL as Azure SQL
    participant Hub as WS Hub (Cloud Backend)

    loop Every N seconds (configurable)
        Edge->>Edge: Collect metrics, logs, events
        Edge->>Edge: Build batch payload
        Edge->>Ingestor: POST /v1/ingest (X-Device-Key)
        Note right of Edge: body: [{ kind: "telemetry", ... }, ...]
        Ingestor->>Ingestor: Validate device_key → resolve tenant_id
        Ingestor->>SQL: INSERT ingest_events (batched)
        alt kind == security_alert
            Ingestor->>Hub: Broadcast to tenant WebSocket connections
        end
        Ingestor-->>Edge: 204 No Content
    end

Batching

Section titled “Batching”

The Edge agent builds a batch of events collected since the last successful upload. Events are ordered by timestamp. On upload failure (network outage), the agent retries with exponential backoff and buffers events locally until the connection is restored.

Ingestor URL

Section titled “Ingestor URL”

The Ingestor runs at a separate URL from the Cloud API:

EnvironmentURL
Productionhttps://ingest.cloud.monozu.io
Local devhttp://localhost:8081

The Edge appliance must have the Ingestor URL configured (typically set at provisioning time or via a command from the Cloud Backend).

Security alert routing

Section titled “Security alert routing”

When the Ingestor receives an event with kind: "security_alert", it:

  1. Writes the event to security_alerts table (with tenant context from device key)
  2. Notifies the Cloud Backend WebSocket hub to broadcast the alert to all connected SPA sessions for that tenant

This is the primary path for real-time SOC alert delivery.

Data retention

Section titled “Data retention”

Ingest events in ingest_events are subject to tenant-level retention policies configured in Settings. The Cloud Backend’s audit log retention job also applies to ingest data.

Payload reference

Section titled “Payload reference”

See Payload Schema for the full event format for each kind.