Fix back-to-back SecGemini investigations (#3597)

gpavlidi · Yanis Pavlidis · jkppr · web-flow · commit 219ca8fa59a2 · 2025-11-18T10:26:41.000+01:00
* Fix back to back investigations by forcing termination
* Address review comments
* fix linters
* Adding docker host infos for local LLM dev.

---------

Co-authored-by: Yanis Pavlidis &lt;ypavlidis@google.com&gt;
Co-authored-by: Janosch &lt;99879757+jkppr@users.noreply.github.com&gt;
diff --git a/data/timesketch.conf b/data/timesketch.conf
@@ -424,7 +424,18 @@ LLM_PROVIDER_CONFIGS = {
         'secgemini_log_analyzer_agent': {
             'logs_processor_api_url': '',
             'api_key': '',
-            'model': 'logs_analysis_agent-1.1'
+            'model': 'logs_analysis_agent-1.1',
+            'base_url': '',
+            'wss_url': '',
+            # Configuration for individual agents. This is a dictionary where the
+            # key is the agent name and the value is another dictionary with
+            # agent-specific configuration parameters.
+            # Example:
+            # 'agents_config': {
+            #     'logs_analysis_loop_agent': {
+            #         'max_iterations': 10,
+            # }
+            'agents_config': {},
         }
     },
     'default': {
diff --git a/docs/developers/getting-started.md b/docs/developers/getting-started.md
@@ -146,6 +146,32 @@ Point your browser to `http://localhost:5001/` to access the new frontend UI.
 All changes to the `timesketch/frontend-ng/` path will be automatically build
 and loaded in the new frontend.
 
+### Accessing services on your host machine
+
+In some development scenarios, you might need the Timesketch container to
+communicate with a service running directly on your host machine (the "docker
+host"). A common use case is when you are running local LLM (Large Language
+Model) services (e.g., Ollama) that need access to hardware like GPUs which may
+not be available to the container.
+
+To enable this, you need to make the docker host accessible from within the
+Timesketch container. You can achieve this by adding an `extra_hosts` entry to
+the `timesketch` service in your `docker/dev/docker-compose.yml` file:
+
+```yaml
+services:
+  timesketch:
+    ...
+    # Make docker host accessible for local development.
+    extra_hosts:
+      - host.docker.internal:host-gateway
+```
+
+After adding this and restarting your container, you can configure Timesketch to
+connect to services on your host using `http://host.docker.internal:<PORT>`. For
+example, you could configure an LLM provider in `timesketch.conf` to use a base
+URL of `http://host.docker.internal:8000`.
+
 ## API development
 
 Exposing new functionality via the API starts at `/timesketch/api/v1/routes.py`.
diff --git a/timesketch/lib/llms/providers/secgemini_log_analyzer_agent.py b/timesketch/lib/llms/providers/secgemini_log_analyzer_agent.py
@@ -68,8 +68,19 @@ def __init__(self, config: dict, **kwargs: Any):
         if self.server_url:
             os.environ["SEC_GEMINI_LOGS_PROCESSOR_API_URL"] = self.server_url
 
+        self.base_url = self.config.get("base_url")
+        self.wss_url = self.config.get("wss_url")
+        self.agents_config = self.config.get("agents_config", {})
+
         try:
-            self.sg_client = SecGemini(api_key=self.api_key)
+            if self.base_url and self.wss_url:
+                self.sg_client = SecGemini(
+                    base_url=self.base_url,
+                    base_websockets_url=self.wss_url,
+                    api_key=self.api_key,
+                )
+            else:
+                self.sg_client = SecGemini(api_key=self.api_key)
         except Exception as e:
             raise ValueError(f"Failed to initialize SecGemini client: {e}") from e
 
@@ -102,7 +113,9 @@ async def _run_async_stream(self, log_path, prompt):
             str: The content chunks of the streamed response from the agent.
         """
         self._session = self.sg_client.create_session(
-            model=self.model, enable_logging=self.enable_logging
+            model=self.model,
+            enable_logging=self.enable_logging,
+            agents_config=self.agents_config,
         )
         self.session_id = self._session.id
         # TODO: Could we check if the API key has logging enabled and if not ERR
@@ -181,6 +194,8 @@ async def _run_async_stream(self, log_path, prompt):
 
                     if json_str:
                         yield json_str
+                        # force termination to avoid back2back runs
+                        break
         finally:
             if debug_log_file:
                 debug_log_file.close()
