Performance Optimierung da System mit 450k Daten nach 12 Stunden zu langsam!

deploy/mariadb/init/001-schema.sql

@@ -1809,4 +1809,108 @@ CREATE TABLE IF NOT EXISTS user_source_ip_seen (
     last_seen DATETIME(6) NOT NULL,
     seen_count BIGINT NOT NULL DEFAULT 1,
     PRIMARY KEY (username, src_ip, hostname)
-);
+);
+
+###
+
+ALTER TABLE detections
+  ADD INDEX idx_detections_created_at (created_at),
+  ADD INDEX idx_detections_status_created (status, created_at),
+  ADD INDEX idx_detections_severity_created (severity, created_at),
+  ADD INDEX idx_detections_host_created (hostname, created_at),
+  ADD INDEX idx_detections_rule_created (rule_name, created_at),
+  ADD INDEX idx_detections_host_rule_created (hostname, rule_name, created_at),
+  ADD INDEX idx_detections_host_status_created (hostname, status, created_at),
+  ADD INDEX idx_detections_risk_window (created_at, status, hostname, severity),
+  ADD INDEX idx_detections_window_lookup (hostname, window_start, window_end);
+
+ALTER TABLE ueba_user_baseline
+  ADD UNIQUE KEY uq_ueba_user_context (username, hostname, src_ip, workstation),
+  ADD INDEX idx_ueba_user_last_seen (username, last_seen),
+  ADD INDEX idx_ueba_host_last_seen (hostname, last_seen);
+
+ALTER TABLE user_source_ip_seen
+  ADD UNIQUE KEY uq_user_source_ip_host (username, src_ip, hostname),
+  ADD INDEX idx_user_source_ip_last_seen (username, src_ip, last_seen);
+
+ALTER TABLE user_privilege_baseline
+  ADD UNIQUE KEY uq_user_privilege_username (username);
+
+ALTER TABLE baseline_event_stats
+  ADD UNIQUE KEY uq_baseline_bucket (
+    hostname,
+    channel_name,
+    event_id,
+    hour_of_day,
+    day_of_week
+  );
+
+ALTER TABLE detection_suppressions
+  ADD INDEX idx_detection_suppressions_lookup (
+    enabled,
+    rule_name,
+    hostname,
+    channel_name,
+    event_id,
+    expires_at
+  );
+
+ALTER TABLE baseline_exclusions
+  ADD INDEX idx_baseline_exclusions_lookup (
+    enabled,
+    hostname,
+    channel_name,
+    event_id,
+    expires_at
+  );
+
+ALTER TABLE detections
+  ADD INDEX idx_detections_status_created2 (status, created_at),
+  ADD INDEX idx_detections_severity_created2 (severity, created_at);
+
+###
+
+  CREATE TABLE IF NOT EXISTS event_log_raw (
+    event_log_id BIGINT UNSIGNED NOT NULL,
+    msg MEDIUMTEXT NOT NULL,
+    msg_sha256 CHAR(64) NOT NULL,
+    created_at DATETIME(6) NOT NULL DEFAULT (UTC_TIMESTAMP(6)),
+    PRIMARY KEY (event_log_id),
+    INDEX idx_event_log_raw_sha256 (msg_sha256),
+    INDEX idx_event_log_raw_created_at (created_at)
+);
+
+ALTER TABLE event_log_raw
+  ADD CONSTRAINT fk_event_log_raw_event
+  FOREIGN KEY (event_log_id)
+  REFERENCES event_logs(id)
+  ON DELETE CASCADE;
+
+######################## MIGRATION ############################
+INSERT INTO event_log_raw (event_log_id, msg, msg_sha256, created_at)
+SELECT id, msg, msg_sha256, COALESCE(received_at, UTC_TIMESTAMP(6))
+FROM event_logs
+WHERE msg IS NOT NULL
+  AND msg <> ''
+ON DUPLICATE KEY UPDATE
+    msg = VALUES(msg),
+    msg_sha256 = VALUES(msg_sha256);
+######################## MIGRATION ############################
+
+
+######################## TEST #################################
+SELECT COUNT(*) AS raw_rows FROM event_log_raw;
+SELECT COUNT(*) AS event_rows_with_msg FROM event_logs WHERE msg IS NOT NULL AND msg <> '';
+######################## TEST #################################
+
+######################## MIGRATION ############################
+UPDATE event_logs
+SET msg = ''
+WHERE msg IS NOT NULL
+  AND msg <> ''
+LIMIT 10000;
+######################## MIGRATION ############################
+
+######################## TEST #################################
+SELECT COUNT(*) FROM event_logs WHERE msg IS NOT NULL AND msg <> '';
+######################## TEST #################################