The Mochi Demo

<< Click to Display Table of Contents >>

Navigation:  Analyzing Data in s-Server > Running Demo Applications >

The Mochi Demo

Previous pageReturn to chapter overviewNext page

The Mochi demonstration application simulates clusters of failed logins at a bank, either by phone or web, as well as withdrawals or debits using the same customer id number.

If you install s-Server on a Linux machine with a graphical interface, the Mochi demo is installed as a shortcut on your desktop. When you launch this shortcut by double-clicking it, the Mochi demo automatically installs a catalog into s-Server, generates test data using datagen, and launches a browser that displays data in s-Dashboard, displaying these clusters as a table, map, and chart:

inst_mochi_demo

Note: the Linux server user who runs the Mochi demo must be using the latest version of Mozilla Firefox or Google Chrome in order to work.

Running the Mochi Demo

To run the Mochi demo, do one of the following:

Double-click the Run Mochi Demo icon on your desktop.
From a terminal, run $SQLSTREAM_HOME/demo/mochi/runDemo.sh

When you run the Mochi script, it does the following:

1.Creates the Mochi schema, including streams and pumps to move data around and views to apply analytics to the data and condition this data for display in s-Dashboard.
2.Generates test data using Datagen.
3.Launches s-Dashboard. To view s-Dashboard, you need to launch a browser and point it to the address set up by your system administrator during s-Server installation. The default address is localhost:5595.

Running the Mochi demo on a Linux machine with no GUI

If your machine does not have a GUI, you can run the script in $SQLSTREAM_HOME/demo/mochi called runDemo.sh.

Note: $SQLSTREAM_HOME refers to the installation directory for s-Server, such as /opt/sqlstream/4.0.XXX/s-Server.

This is the same script that is run when you click the desktop icon. When the script detects that your system has no browser installed, it will print out a message that includes the URL on which the demo runs. You can then point to this URL from any machine that can access it (including Windows machines) in order to view the demo.

Dashboards

To launch s-Dashboard, open a browser and enter localhost:5595/dashboards

The home page for s-Dashboard appears:

dev_mochi_dashboards_home

The Dashboards home page lets you launch four different dashboards. The first three offer combinations of a map with login failure alerts by geographical locations, and either a chart of failed logins or a table of geographical locations. The fourth, Stoplight, flags login failures by yellow (

int_mochi_demo

Main Dashboard with Graph Panel

dev_mochi_dashboard_main_no_panel

Main Dashboard with No Graph Panel

dev_mochi_dashboard_map_table

Dashboard with Map and Table

dev_mochi_stoplight

Stoplight Dashboard

Stopping Mochi

To stop the Mochi demo, do one of the following:

Click the Stop Mochi Demo icon on your desktop.
From a terminal, run $SQLSTREAM_HOME/demo/mochi/stopDemo.sh

This will stop all pumps, datagens, Web Agent and s-Dashboard instances started by the Mochi demo.

Mochi Data

The Mochi demo gathers simulated data on phone login events and web login events, then analyzes this data to identify clusters of failed login attempts. It tracks data using the following columns.

Columns for Phone Login Events

Column

Explanation

recNo

A unique record id for the event.

ts

Timestamp for the event

accountNumber

Eleven digit number.

callerId

Number from which phone transaction was initiated.

directDial

Number dialed at bank.

customerId

Fifteen digit number.

Stream for Phone Login Events

SQLstream uses streams to capture dynamically changing data so that this data can be queried with SQL. The stream used to capture data for Mochi's web login events is called WebLoginEvents and is created with the following block of SQL:

CREATE OR REPLACE STREAM "PhoneLoginEvents"

   ("recNo" INTEGER,

   "ts" TIMESTAMP NOT NULL,

   "accountNumber" INTEGER,

   "loginSuccessful" BOOLEAN,

   "callerId" VARCHAR(32),

   "directDial" VARCHAR(32),

   "customerId" INTEGER)

   DESCRIPTION 'Logins from the phone system';

 

Columns for Web Login Events

Column

Explanation

recNo

A unique record id for the event.

ts

Timestamp for the event

accountNumber

Eleven digit number.

loginSuccessful

True or false

sourceIP

Originating id for login.

 

destIP

Ip address that user attempted to log into.

customerId

Fifteen digit number.

Web Login Events and Parsing Log Files

The Mochi demo uses the Log File Adapter to tail and parse a sample log file from a web server to track web login events. See the topic Log File Adapter in the Enterprise Integration Guide for more details.

The Log File adapter uses a foreign stream to capture data. The code for a sample foreign stream is as follows:

CREATE OR REPLACE FOREIGN STREAM "WebLoginEvents"

   SERVER "WebAppServer"

   OPTIONS (

       log_path '/tmp/mochi/web_login.log',

       encoding 'UTF-8',

       sleep_interval '100',

       max_unchanged_stats '20',

       parser 'variable',

       parser_columns '"recNo" TYPE INTEGER,

               "ts" TYPE TIMESTAMP NOT NULL,

               "accountNumber" TYPE INTEGER,

               "loginSuccessful" TYPE BOOLEAN,

               "sourceIP" TYPE VARCHAR(32),

               "destIP" TYPE VARCHAR(32),

               "customerId" TYPE INTEGER',

       parser_delimiters ',')

   DESCRIPTION 'Login stream from web app';

 

Views of Events

Once the Mochi demo has created streams to gather data on the demo's events, it uses views to generate relationships between the streams' data. For example, the following code combines phone login events with the phone numbers' location.

CREATE OR REPLACE VIEW "PhoneLoginEventsWithLocation"

   DESCRIPTION 'Phone login events enriched by geo-lookup'

   AS

   SELECT STREAM

       "recNo", "ts", "accountNumber", "loginSuccessful",

       "callerId", "directDial", "customerId",

       CAST(PLE.r.countryCode AS CHAR(2)) AS "countryCode",

       CAST(PLE.r.countryName AS VARCHAR(34)) AS "countryName",

       CAST(PLE.r.city AS VARCHAR(32)) AS "city",

       CAST(PLE.r.region AS CHAR(2)) AS "region",

       CAST(PLE.r.lat AS DECIMAL(8,5)) AS "lat",

       CAST(PLE.r.lon AS DECIMAL(8,5)) AS "lon"

   FROM (

       SELECT STREAM

           *,

           -- getPhoneLocation output: 'countryCode,country,city,state/region,lat,lon'

           VARIABLE_COLUMN_LOG_PARSE("phoneLoc",

               'countryCode, countryName, city, region, lat, lon', ',') AS r

       FROM "PhoneLoginEvents2") AS PLE;

 

Other views identify suspect login events by combining data from web login streams and phone login streams, then identifying account numbers with more than three failed login attempts in a minute:

CREATE OR REPLACE VIEW "SuspectLoginFailures"

   DESCRIPTION 'Windowed stream view to detect groups of failed logins'

   AS

   SELECT STREAM

       "accountNumber",

       -- "loginFailureCount",

       "webFail", "phoneFail",

       "city", "region", "lat", "lon"

   FROM (

       SELECT STREAM

           "accountNumber",

           -- COUNT(*) OVER "lastMinute" AS "loginFailureCount",

           SUM(MOCHI_UTIL.CMI("accessType", 'WEB')) OVER "lastMinute" AS "webFail",

           SUM(MOCHI_UTIL.CMI("accessType", 'PHONE')) OVER "lastMinute" AS "phoneFail",

           "city", "region", "lat", "lon"

       FROM "LoginEvents"

       WHERE NOT "loginSuccessful"

       WINDOW "lastMinute" AS (

           PARTITION BY "accountNumber"

           ORDER BY "LoginEvents".ROWTIME

           RANGE INTERVAL '1' MINUTE PRECEDING))

   WHERE "webFail" + "phoneFail" > 3;

 

Modifying Mochi Data

To change the amount, rate, and type of data generated, modify the xml files in <%S-SERVER_HOME%>/demo/mochi/datagen

For more information on Datagen, see the topic Generating Test Data with DataGen in Developer Guide.