https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241283#M85875 <P>Hi <A rel="user" href="https://community.cloudera.com/users/97908/hacofayik.html" nodeid="97908">@haco fayik</A></P><P>That looks great. Sounds like you got around the initial problem of ingesting data into Metron.</P><P>There could be multiple reasons, e.g. parser, enrichment and indexing topologies not running or being misconfigured.</P><P>Would you create a new question for this and provide more details, such as worker logs of those topologies?</P><P>Would you also mark the answer that helped you most solve the ingest problem as "Best Answer"?</P><P>thanks!</P> Mon, 07 Jan 2019 20:27:39 GMT StefanDunkler 2019-01-07T20:27:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241277#M85869 <P>Hi</P><P><BR />I want to send Windows event log to HCP ( with any agent like winlogbeats or etc ) but I don't know how to do this ? can you provide solution ?</P><P>Thanks</P> Fri, 16 Sep 2022 14:01:22 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241277#M85869 hacofayik 2022-09-16T14:01:22Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241278#M85870 <P>Hi <A rel="user" href="https://community.cloudera.com/users/97908/hacofayik.html" nodeid="97908">@haco fayik</A>,</P><P>as a starting point you need to push data into a parser specific Kafka topic (you can call the topic "windows-event-log"), and configure a parser in the Metron Management UI and start it. In the parser configuration you configure Metron, from which Kafka topic the messages are picked up ("windows-event-log" in our case) and how to parse the incoming messages.</P><P>NiFi is a great tool to collect data from various sources and push it into Kafka.</P><P>Maybe my article helps you: <A href="https://datahovel.com/2018/07/18/how-to-onboard-a-new-data-source-in-apache-metron/" target="_blank">https://datahovel.com/2018/07/18/how-to-onboard-a-new-data-source-in-apache-metron/</A></P><P>If you have more specific questions, don't hesitate to ask!</P> Mon, 31 Dec 2018 16:44:03 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241278#M85870 StefanDunkler 2018-12-31T16:44:03Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241279#M85871 <P>hi <A rel="user" href="https://community.cloudera.com/users/17971/sdunkler.html" nodeid="17971">@Stefan Kupstaitis-Dunkler</A>, </P><P>Thank you so much for your answer ,</P><P>if I have 5 windows server and workstation , I should install nifi on each host or I can use one nifi server for all hosts ?</P><P> How to send data ( event log) to nifi ?</P> Mon, 31 Dec 2018 20:33:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241279#M85871 hacofayik 2018-12-31T20:33:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241280#M85872 <P><A href="https://community.hortonworks.com/questions/232177/how-to-send-windows-event-log-to-hcp.html?childToView=232193#">@haco fayik</A></P><P>There's many ways to do this. <EM>You should probably search this community in the NiFi section or get familiar with NiFi in general.</EM></P><P>However, as a a short overview, the most common cases for Metron ingestion, I'm encountering in the field are:</P><UL> <LI>your sources are pushing the message to a <STRONG><EM>syslog</EM></STRONG> server. You can configure your syslog server to push data to your NiFi instance over TCP or UDP. In this case you'd need a "ListenSyslog" processor and a "PublishKafka" processor.</LI><LI>you already have a log forwarder capable of pushing data to Kafka (<STRONG><EM>winlogbeats</EM></STRONG><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> <A href="https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-output.html" target="_blank">https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-output.html</A> . In this case you won't need NiFi, if you are comfortable using winlogbeats.</LI><LI>You install <EM><STRONG>MiNiFi</STRONG></EM> on all servers to act as a simple log forwarder over tcp. You'd send those packets to a NiFi instance/cluster (similar to the Syslog approach), receive them via "ListenTcp" processor and push your messages into Kafka using the "PublishKafka" processor. You could also send data directly into Kafka from MiNiFi.</LI></UL><P>Note: If your Kafka cluster is secured with Kerberos, this might influence your choice.</P> Mon, 31 Dec 2018 20:59:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241280#M85872 StefanDunkler 2018-12-31T20:59:59Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241281#M85873 <P>thank you very much <A rel="user" href="https://community.cloudera.com/users/17971/sdunkler.html" nodeid="17971">@Stefan Kupstaitis-Dunkler</A> </P> Tue, 01 Jan 2019 19:33:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241281#M85873 hacofayik 2019-01-01T19:33:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241282#M85874 <P>Hi <A rel="user" href="https://community.cloudera.com/users/17971/sdunkler.html" nodeid="17971" target="_blank">@Stefan Kupstaitis-Dunkler</A></P><P>I Installed winlogbeats on Windows workstation with below config :</P><PRE>output.logstash: hosts: ["nifi.node.srv:5098"]</PRE><P>and I use this nifi processors to stream event to metron </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="97533-nifi1.png" style="width: 1102px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/13752i8ADA38FEECEEE5BB/image-size/medium?v=v2&amp;px=400" role="button" title="97533-nifi1.png" alt="97533-nifi1.png" /></span></P><P>listenbeats config :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="97534-nifi2.png" style="width: 796px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/13753iE0AAA5FBC2F78D04/image-size/medium?v=v2&amp;px=400" role="button" title="97534-nifi2.png" alt="97534-nifi2.png" /></span></P><P>Publishkafka cofig :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="97535-nifi3.png" style="width: 791px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/13754i2F7C387D8130C915/image-size/medium?v=v2&amp;px=400" role="button" title="97535-nifi3.png" alt="97535-nifi3.png" /></span></P><P>Nifi Data provenance in publishkafka processor :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="97536-nifi4.png" style="width: 1406px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/13755i994CF74FD32601E9/image-size/medium?v=v2&amp;px=400" role="button" title="97536-nifi4.png" alt="97536-nifi4.png" /></span></P><P>and I create sensor in Management UI with logstash parser and winlogtop topic ( kafka) . now I can't see any log data in alert UI . what's problem ?</P><P>Thanks</P> Sat, 17 Aug 2019 22:17:51 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241282#M85874 hacofayik 2019-08-17T22:17:51Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241283#M85875 <P>Hi <A rel="user" href="https://community.cloudera.com/users/97908/hacofayik.html" nodeid="97908">@haco fayik</A></P><P>That looks great. Sounds like you got around the initial problem of ingesting data into Metron.</P><P>There could be multiple reasons, e.g. parser, enrichment and indexing topologies not running or being misconfigured.</P><P>Would you create a new question for this and provide more details, such as worker logs of those topologies?</P><P>Would you also mark the answer that helped you most solve the ingest problem as "Best Answer"?</P><P>thanks!</P> Mon, 07 Jan 2019 20:27:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241283#M85875 StefanDunkler 2019-01-07T20:27:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241284#M85876 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/17971/sdunkler.html" nodeid="17971">@Stefan Kupstaitis-Dunkler,<BR /></A></P><P>I marked best answer and I will create a new question for this problem . Can you provide location of these log file?</P><P>I confused that Can I use metron for Collect windows and linux hosts and network devices log for security purpose ? ( Threat detection and etc)</P><P>Please accept my thanks for your helps</P><P><BR /><A rel="user" href="https://community.cloudera.com/users/17971/sdunkler.html" nodeid="17971"></A> </P> Tue, 08 Jan 2019 16:43:49 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-send-Windows-event-log-to-HCP/m-p/241284#M85876 hacofayik 2019-01-08T16:43:49Z