Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to correlate logs from different assets with Metron to trigger complex use cases ?

Highlighted

How to correlate logs from different assets with Metron to trigger complex use cases ?

New Contributor

I am a Metron newbie looking if it can fit my needs. Say I want to trigger an alarm from an event in the firewall and another one in the Active Directory :

if event1 and event2 then set alarm_xxx

What workflow / tools are required with Metron please ?

4 REPLIES 4

Re: How to correlate logs from different assets with Metron to trigger complex use cases ?

Contributor

Hi @Alan B,

You can perform logic operations, profiling and create scores and alerts based on that results. You can also use MaaS (Model-as-a-Service) to deploy models and create alerts based on results, etc.

Basically Metron has available a wide number of options to perform a variety of cases, in that way, is quite open.

Visit the following documentation for more information:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_analytics/content/overview.html

Visit also the Stellar Language doc:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_stellar-quick-ref/content/intro.html

Metron lives atop of Hadoop Stack, in that way, you will have the following requirements:

  • Apache Hadoop;
  • Apache Storm;
  • Apache Kafka;
  • Apache HBase;
  • Apache ZooKeeper.

Visit the following documentation for more information about requirements of HCP/Metron:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_installation/content/software_req.html

Hope it helps!

Gonçalo

Re: How to correlate logs from different assets with Metron to trigger complex use cases ?

New Contributor

Thanks Gonçalo. To be sure, can you confirm Stellar can be used as a correlation engine in Metron i.e. real time alerting based on logical rules and anything Stellar can do ?

Re: How to correlate logs from different assets with Metron to trigger complex use cases ?

Contributor

Metron has several stages where the event is processed, for example, after you parsed your event you can enrich it, that can be done with Stellar using "GEO_GET" function you can get, based on a GEO list, the origin of an IP.

You can also add your own custom functions or you can do logic, arithmetic operations, etc.

Using Metron UI you can see your alerts in real-time, check the page below for more detail about the UI:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_user-guide/content/using_alerts_table.ht...

I would recommend you to install Metron and try it.

Gonçalo

Re: How to correlate logs from different assets with Metron to trigger complex use cases ?

New Contributor

Thank you very much Gonçalo. We are actually in the setup process.