Introduction

If you are new to Metron or the Metron Tech Preview 1, the following links should provide some good information to review before walking through the installation:

• Intro to Apache Metron
• What is in Apache Metron Tech Preview 1

Build Instructions

The following steps provide instructions on how to install a full working Metron application on a single node VM with Vagrant. This deployment option is ideal for experimenting and playing with the Metron application. While these instructions should work on most development environments, these instructions were tested on Mac OS X El Capitan.

Prerequisites

On your Macintosh:

1. Install the latest version of Virtual Box.
2. Install the latest version of Vagrant.
3. Install Maven if you don't have it, and define associated environmental variables. For example, add the following to your ~/.bash_profile file:

   export MAVEN_HOME=/Users/rmckissick/Documents/Files/apache-maven-3.3.9
   export PATH=$MAVEN_HOME/bin:$PATH

4. Install JAVA 1.8 if you don't have it, and define associated environment variables. For example, add the following your ~/.bash_profile file.

   export JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_91.jdk/Contents/Home
   export PATH=$JAVA_HOME/bin:$PATH

5. If you installed Maven and Java and edited your profile file in steps 2 and 3, reload .bash_profile:

   source~/.bash_profile

6. Check your Maven installation:

   mvn–version

   You should see information about Maven, Java, and OS X.

7. Install Ansible, version 2.0 or greater. For example:

   sudo su -
   easy_install pip
   export CFLAGS=-Qunused-arguments
   export CPPFLAGS=-Qunused-arguments
   pip install ansible
   exit
   

   (exit logs off from root and returns to your user account)

Build Apache Metron

1. Download the 0.1 Metron binaries from here (download the .tar.gz file).
2. Untar the binaries to a location that will be easy to find later:

   tar -zxvf apache-metron-0.1BETA-RC7-incubating.tar.gz

3. Build the Metron application:

   cd incubator-metron-Metron_0.1BETA_rc7
   mvn apache-rat:check && cd metron-streaming && mvn clean integration-test && cd ..   
   

   The mvn command downloads and builds Metron components. It should take about 15 minutes, depending on your hardware configuration. When it finishes, you should see a message similar to the following:

   [INFO] ------------------------------------------------------------------------
   [INFO] Reactor Summary:
   [INFO]
   [INFO] Metron-Streaming ................................... SUCCESS [ 31.437 s]
   [INFO] Metron-Common ...................................... SUCCESS [04:58 min]
   [INFO] Metron-EnrichmentAdapters .......................... SUCCESS [ 14.185 s]
   [INFO] Metron-MessageParsers .............................. SUCCESS [ 2.704 s]
   [INFO] Metron-Indexing .................................... SUCCESS [ 26.989 s]
   [INFO] Metron-Alerts ...................................... SUCCESS [ 4.651 s]
   [INFO] Metron-Testing ..................................... SUCCESS [ 9.167 s]
   [INFO] Metron-DataLoads ................................... SUCCESS [04:26 min]
   [INFO] Metron-Topologies .................................. SUCCESS [03:05 min]
   [INFO] Metron-Pcap_Service ................................ SUCCESS [ 43.666 s]
   [INFO] ------------------------------------------------------------------------
   [INFO] BUILD SUCCESS
   [INFO] ------------------------------------------------------------------------
   [INFO] Total time: 14:43 min
   [INFO] Finished at: 2016-04-26T13:11:09-07:00
   [INFO] Final Memory: 122M/1649M

4. Deploy Metron as a single VM via Vagrant and Ansible:

   cd deployment/vagrant/singlenode-vagrant
   vagrant plugin install vagrant-hostmanager
   vagrant up

5. The vagrant up process will run through a series of Ansible scripts, installing Ambari, HDP, and Metron on the single-node VM. The process should take about 45 - 60 minutes depending on your hardware configuration.

Verify That Apache Metron is Deployed Successfully

1. Check Ambari to make sure all the services are up by going to Ambari. Sign on with the default login and password "admin". The Ambari dashboard should look like the following:
   1. 
2. Verify that four Storm topologies have been deployed: bro, enrichment, snort, and yaf.

   From Ambari, navigate to Storm -> Quick Links -> Storm UI. You should see the four storm topologies deployed. The Metron Storm UI should look something like the following:

   

3. Check that the enrichment topology has emitted some data (this could take a few minutes to show up in the Storm UI). The storm enrichment topology UI should look something like the following:
   1. 
4. Go to the Metron UI (at http://node1:5000). Check indexes to make sure indexing is done correctly and data is visualized. The Metron UI should look something like the following:
   1. 
5. Check that some data is written into HDFS for at least one of the data sources

   vagrant ssh node1
   sudo su hdfs
   hadoop fs -ls /apps/metron/enrichment/indexed

Questions/Issues

If you have any questions or install issues, post your question to the CyberSecurity HCC Track.