https://community.cloudera.com/t5/Archives-of-Support-Questions/Can-Apache-Metron-fullfill-my-use-case/m-p/231671#M82709 <P>Hi <A href="https://community.hortonworks.com/questions/214896/can-apache-metro-fullfill-my-use-case.html#">@Sarvesh Kumar</A></P><P>Apache Metron gives you all the tools you need to</P><UL> <LI>extract and <STRONG>parse</STRONG> the information from your event. So if the event's message contains the information about if the device has shutdown, you'll be able to create a rule around it.</LI><LI>aggregate data and create <STRONG>profiles</STRONG> of devices in certain time windows. So you could create a small function that evaluates the status of a device in a certain time frame and check if the device is up.</LI><LI>Disk memory full: If the event source contains the current disk space (and ideally also sends the maximum amount of disk space available) it's just a simple rule to add to create an alert.</LI></UL><P>Regarding your unsupervised learning question:</P><UL> <LI>Your examples don't require machine learning, because they are rule based.</LI><LI>You'd want to use machine learning to train a model that generates alerts based on data rather than on rules. (in most cases this is "supervised" learning based on "is alert" or "is not alert").</LI><LI>However, Metron provides a "Model as a Service" capabilty, which allows you to deploy models to evaluate events and enrich them.</LI><LI>That being said, Metron does not provide models for you. Creating features and models is the data scientists job and depending how thoroughly this is done, this will determine how many accurate alerts (ideally all of them) and how many false positives you have (ideally none).</LI></UL><P>Hope that helped!</P> Mon, 27 Aug 2018 18:29:55 GMT StefanDunkler 2018-08-27T18:29:55Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Can-Apache-Metron-fullfill-my-use-case/m-p/231670#M82708 <P>I have some devices(network switch, router etc), they publish activity logs through syslog. I need to find actionable items from the logs as alerts. An Actionable item could be, a device has been shut down and not restarted, or device disk memory is full etc.</P><P>I have following fields in syslogs</P><P>timestamp source application_name facility full_message gl2_remote_ip gl2_remote_port gl2_source_input gl2_source_node level message process_id streams</P><P>I don't have labelled examples of actionable messages. Can Apache metron do something here with unsupervised learning.</P> Mon, 27 Aug 2018 17:56:03 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Can-Apache-Metron-fullfill-my-use-case/m-p/231670#M82708 sarvesh_kumar1 2018-08-27T17:56:03Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Can-Apache-Metron-fullfill-my-use-case/m-p/231671#M82709 <P>Hi <A href="https://community.hortonworks.com/questions/214896/can-apache-metro-fullfill-my-use-case.html#">@Sarvesh Kumar</A></P><P>Apache Metron gives you all the tools you need to</P><UL> <LI>extract and <STRONG>parse</STRONG> the information from your event. So if the event's message contains the information about if the device has shutdown, you'll be able to create a rule around it.</LI><LI>aggregate data and create <STRONG>profiles</STRONG> of devices in certain time windows. So you could create a small function that evaluates the status of a device in a certain time frame and check if the device is up.</LI><LI>Disk memory full: If the event source contains the current disk space (and ideally also sends the maximum amount of disk space available) it's just a simple rule to add to create an alert.</LI></UL><P>Regarding your unsupervised learning question:</P><UL> <LI>Your examples don't require machine learning, because they are rule based.</LI><LI>You'd want to use machine learning to train a model that generates alerts based on data rather than on rules. (in most cases this is "supervised" learning based on "is alert" or "is not alert").</LI><LI>However, Metron provides a "Model as a Service" capabilty, which allows you to deploy models to evaluate events and enrich them.</LI><LI>That being said, Metron does not provide models for you. Creating features and models is the data scientists job and depending how thoroughly this is done, this will determine how many accurate alerts (ideally all of them) and how many false positives you have (ideally none).</LI></UL><P>Hope that helped!</P> Mon, 27 Aug 2018 18:29:55 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Can-Apache-Metron-fullfill-my-use-case/m-p/231671#M82709 StefanDunkler 2018-08-27T18:29:55Z