Querying Elasticsearch might be very meomory intensive

[regulartim]

Following up on #624 the new way of extraction hits from Elasticsearch might be too memory intensive.

https://github.com/intelowlproject/GreedyBear/blob/d5a9906da5cd3ebf293ffedc77f466400cf0b1be/greedybear/cronjobs/repositories/elastic.py#L74-L79

In line 74, the list constructor is called on search.scan(). The scan method returns an iterator containing all hits from the requested time span. But because we want to cache it, we have to create a list from the iterator, which means that all hits will be stored in system memory. This might be an issue when
a) the time span is very long (e.g. 3 days on the initial extraction run) and
b) the T-Pot instance records a high number of attacks

Since I am currently only using a T-Pot instance with very few active honeypots which is running on a residential internet connection, I only see ~25.000 honeypot hits a day, which is not a problem. So it would be nice if someone could test this on a GreedyBear instance that gets attacked more frequently.

Currently this code is only in develop and before it gets merged we should make sure that it is not too bad.

[mlodic]

hey Tim, can you please remember me why the cache is necessary here? Cause I checked the code and I didn't get the reason, I think I am maybe forgetting something.

[regulartim]

I introduced the caching to make sure the query is only executed once if the search() function is called multiple times during a singe extraction run. But looking at it again, I think that it's just better to make search() return an iterator and remove the caching. The ElasticRepository is only instantiated in the ExtractionPipeline so calling the function a second time by accident is basically impossible.

[shivraj1182]

Hi @regulartim,
I’d like to help with this. I can run GreedyBear from the 'develop' branch using Docker on my local machine and am planning to :
-First, test the current 'search()' implementation (with 'list(search.scan())' and caching) against a larger synthetic dataset in Elasticsearch to see how memory usage behaves during an extraction run.
-Then, implement the change you suggested: make 'search()' return an iterator instead of a list and remove the caching, updating the callers accordingly.
-Finally, rerun the same synthetic high-volume test and report the memory usage and any behavioural differences.

I do not have a heavily attacked production T-POT instance, but I’ll approximate a high-load scenario by inserting a large number of test documents into ES and will document the approximate volume and results. If that sounds good, I’ll start working on this and open a PR referencing this issue. :)

[regulartim]

Hey @shivraj1182 ! Your approach seems solid and seeing this comparison using synthetic data will provide valuable insight. However opening a PR might be unnecessary if the current implementation is fine. I would prefer if you could perform the tests and write the results to this issue. Then we can decide together whether we want to change the current implementation or not.

One thing that is also important in this context: In greedybear/cronjobs/extraction/pipeline.py we group all extracted hits by the honeypot that recorded them. This means that all hits have to be loaded to memory anyways. So my expectation is that we won't see any difference, but I am happy to be proven wrong. :)

        # 2. Group by honeypot
        self.log.info("Grouping hits by honeypot type")
        for hit in search_result:
            # skip hits with non-existing or empty sources
            if "src_ip" not in hit or not hit["src_ip"].strip():
                continue
            # skip hits with non-existing or empty types (=honeypots)
            if "type" not in hit or not hit["type"].strip():
                continue
            # extract sensor
            if "t-pot_ip_ext" in hit:
                self.sensor_repo.add_sensor(hit["t-pot_ip_ext"])
            hits_by_honeypot[hit["type"]].append(hit.to_dict())

[shivraj1182]

Hey @regulartim! Quick update:

Local testing attempts - COMPLETED ✓

I successfully ran the GreedyBear stack locally with Docker (Windows, develop branch) and performed memory tests:

Test environment:

• Docker on Windows with Elasticsearch 9.2.3
• Loaded synthetic documents into logstash-2026.01.21 index
• Documents have required fields: @timestamp, src_ip, type (honeypot), t-pot_ip_ext
• Time range: last 3 days

Memory measurements using tracemalloc:

Test	Documents	Peak Memory (search)	Peak Memory (after grouping)	Memory/Doc
1	~10k (9,986)	11.21 MB	11.21 MB	~1.13 KB
2	~60k (59,985)	66.04 MB	66.04 MB	~1.13 KB
3	~640k (639,437)	702.92 MB	702.92 MB	~1.13 KB

Key findings:

1. Linear scaling: Memory usage scales linearly at ~1.13 KB per document (perfect)
2. Grouping has no additional cost: Peak memory remained identical before and after grouping by honeypot type, confirming that both the list(search.scan()) and hits_by_honeypot grouping keep the same data in memory
3. Predictable for typical deployments:
   • 25k hits/day over 3 days = ~75k hits = ~85 MB
   • 100k hits over 3 days = ~113 MB
   • 500k hits over 3 days = ~565 MB
   • Extrapolated: 1M hits = ~1.13 GB
4. Because the pipeline already builds the hits_by_honeypot structure (which holds all hits in memory grouped by type), the overall memory footprint is fundamentally determined by "total size of all matching hits in the time window" regardless of whether search() returns a list or an iterator.
   The list(search.scan()) approach does create an additional copy temporarily, but the dominating factor is still the grouped hits_by_honeypot structure. Changing search() to return an iterator would avoid the intermediate list, but as long as the pipeline semantics remain "load all hits → group by honeypot in memory", peak memory usage still scales linearly with the number of hits.

Memory behavior:

The 640k document test confirms that memory usage becomes significant (700+ MB) for very high-volume deployments, validating the original concern raised in this issue. However, the behavior is completely predictable and linear, making capacity planning straightforward.
For typical deployments with moderate volumes (tens of thousands of hits over a few days), the current pattern (load all → sort → group by honeypot) is acceptable and memory usage remains under 100 MB. The main memory cost is inherent to the pipeline design (loading all hits for the time window into memory for grouping), not specifically the search() implementation.
For very high-volume deployments:
If deployments regularly see 500k+ hits over multi-day windows (resulting in 500+ MB memory usage), a more fundamental refactor would be beneficial:
Process events in smaller time-based chunks (e.g. 1 hour at a time) and aggregate incrementally
Push aggregation logic to Elasticsearch using aggregations instead of loading all raw hits into Python
Stream and process hits in batches without holding everything in memory at once.

Conclusion:

For typical deployments with moderate traffic, the current implementation's memory usage is acceptable and predictable. The main memory cost comes from the pipeline design (loading all hits for the time window into memory for grouping), not specifically from the list() vs iterator choice in search().

Switching to an iterator and removing the cache would be a small optimization that avoids one intermediate copy, but wouldn't fundamentally change peak memory given the grouping step.

For very high-volume deployments (500k+ hits), a more substantial refactor (chunked processing or ES aggregations) would be needed regardless of the search() implementation details.

[regulartim]

Thank you very much for your investigation. The option to push aggregation logic to Elasticsearch seems quite appealing. So do you think it is possible to do let ES do the "group by honeypot" part? If so, would you like to implement it?

[shivraj1182]

Happy to hear that from your side, Tim! :>
Yes, Elasticsearch aggregations should be able to handle the “group by honeypot” step directly on the ES side. I’m thinking of using a terms aggregation on the honeypot field (and possibly sub‑aggregations if needed) so that Python only consumes the already grouped data.
I’d be happy to work on implementing this and propose the changes through a PR. I can start by drafting an ES query with the appropriate aggregations, measure memory and CPU impact compared to the current approach, and then integrate it into the existing pipeline. Does that approach align with what you had in mind?

[regulartim]

Yes, sounds good! :)

[regulartim]

Yes, sounds good! :)