Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

How to deploy Metron on CentOS VM of VMware?

Explorer

I create VM CentOS on VMware. I want to deploy Metron on it. Can you help me. Many Thanks.

1 ACCEPTED SOLUTION

Super Collaborator

Hello @Lee Adrian,

The following article should help with deploying a Metron cluster using Ambari:

https://community.hortonworks.com/articles/60805/deploying-a-fresh-metron-cluster-using-ambari-serv....

If you are looking to deploy a vagrant-based quick-dev environment, then the instructions are here:

https://github.com/apache/incubator-metron/tree/master/metron-deployment/vagrant/quick-dev-platform

View solution in original post

17 REPLIES 17

Super Collaborator

Hello @Lee Adrian,

The following article should help with deploying a Metron cluster using Ambari:

https://community.hortonworks.com/articles/60805/deploying-a-fresh-metron-cluster-using-ambari-serv....

If you are looking to deploy a vagrant-based quick-dev environment, then the instructions are here:

https://github.com/apache/incubator-metron/tree/master/metron-deployment/vagrant/quick-dev-platform

Explorer

Hello @asubramanian

I tried your guide. But I don't understand add services for master & slave nodes. Can you help me?

Many thanks.

Super Collaborator

Hi @Lee Adrian, are you referring to the HCC article or the quick-dev github page? If its the former, can you tell me which step are you having trouble with?

Explorer

Hi @asubramanian

Thank you for answering my questions. I try configure follow your guide

Super Collaborator

HI @Lee Adrian, were you able to resolve the issue?

Explorer

Hi @asubramanian, Thanks you. I done configured follow your guide, but I don't pattern Bro log on Kibana. Can you help me?

Explorer

I find on /usr/metron/0.3.0/patterns path but It's have asa, common, fireeye, sourcefire, squid, websphere, yaf files.

Super Collaborator

Hi @Lee Adrian,

Metron uses a BasicBroParser and hence you dont see a pattern for bro. As you can see from the output below for bro and squid:

[root@node1 ~]# cat /usr/metron/0.3.1/config/zookeeper/parsers/bro.json
{
  "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
  "sensorTopic":"bro",
  "parserConfig": {}
}

[root@node1 ~]# cat /usr/metron/0.3.1/config/zookeeper/parsers/squid.json
{
  "parserClassName": "org.apache.metron.parsers.GrokParser",
  "sensorTopic": "squid",
  "parserConfig": {
    "grokPath": "/patterns/squid",
    "patternLabel": "SQUID_DELIMITED",
    "timestampField": "timestamp"
  },
  "fieldTransformations" : [
    {
      "transformation" : "STELLAR"
    ,"output" : [ "full_hostname", "domain_without_subdomains" ]
    ,"config" : {
      "full_hostname" : "URL_TO_HOST(url)"
      ,"domain_without_subdomains" : "DOMAIN_REMOVE_SUBDOMAINS(full_hostname)"
                }
    }
                           ]
}

Super Collaborator

If you think that my answer helped you, can you please mark it as accepted? Thank you!

Explorer

Hi @asubramanian. Thank you for your reply. I done configured. Index pattern is bro_index_*

Super Collaborator

That's great, @Lee Adrian! You're welcome!

Explorer

What version of CentOS? If you just have a CentOS VM and want to install quick-dev of full-dev, you can run my script here, but it only works on 6.8.

Explorer

Hello @Jon Zeolla.

I use CentOS 7. I will try your script on CentOS 6.8. How many node do build on your script?

Explorer

It builds whichever vagrant setup you choose, so the default quick dev, full, etc. Also note that I think some changes will be hitting Metron master today which aren't entirely tested with my script yet, and that also soft requires centos7 (it really requires docker which isn't officially supported on centos6 but you can get it to work if you want. YMMV). If you want to alpha test my centos7 script, checkout the centos7 branch.

Explorer

I worked on this some more today. Given all of the recent build changes to Metron master and the fact that ansible 2.0.0.2 is broken in numerous ways (pip install is broken, brew install is broken, etc.) I gave up and I'm focusing on the upgrade to ansible 2.2. The centos7 branch of my script does not work and will be abandoned.

Explorer

Hi @asubramanian

I run command on YAF Server but Kibana not pattern index yaf_index*. Can you help me?

nohup /usr/local/bin/yaf --silk --ipfix=tcp --live=pcap --out=node1 --ipfix-port=6667 --in=eth0 --applabel --max-payload=384 &

Explorer

Hi @asubramanian,

Is it recommended to run Metron on Docker?