Support Questions

Hello @asubramanian

I tried your guide. But I don't understand add services for master & slave nodes. Can you help me?

Many thanks.

Hi @Lee Adrian, are you referring to the HCC article or the quick-dev github page? If its the former, can you tell me which step are you having trouble with?

HI @Lee Adrian, were you able to resolve the issue?

Hi @asubramanian, Thanks you. I done configured follow your guide, but I don't pattern Bro log on Kibana. Can you help me?

I find on /usr/metron/0.3.0/patterns path but It's have asa, common, fireeye, sourcefire, squid, websphere, yaf files.

Hi @Lee Adrian,

Metron uses a BasicBroParser and hence you dont see a pattern for bro. As you can see from the output below for bro and squid:

[root@node1 ~]# cat /usr/metron/0.3.1/config/zookeeper/parsers/bro.json
{
  "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
  "sensorTopic":"bro",
  "parserConfig": {}
}

[root@node1 ~]# cat /usr/metron/0.3.1/config/zookeeper/parsers/squid.json
{
  "parserClassName": "org.apache.metron.parsers.GrokParser",
  "sensorTopic": "squid",
  "parserConfig": {
    "grokPath": "/patterns/squid",
    "patternLabel": "SQUID_DELIMITED",
    "timestampField": "timestamp"
  },
  "fieldTransformations" : [
    {
      "transformation" : "STELLAR"
    ,"output" : [ "full_hostname", "domain_without_subdomains" ]
    ,"config" : {
      "full_hostname" : "URL_TO_HOST(url)"
      ,"domain_without_subdomains" : "DOMAIN_REMOVE_SUBDOMAINS(full_hostname)"
                }
    }
                           ]
}

If you think that my answer helped you, can you please mark it as accepted? Thank you!

Hi @asubramanian. Thank you for your reply. I done configured. Index pattern is bro_index_*

That's great, @Lee Adrian! You're welcome!

Hello @Jon Zeolla.

I use CentOS 7. I will try your script on CentOS 6.8. How many node do build on your script?

It builds whichever vagrant setup you choose, so the default quick dev, full, etc. Also note that I think some changes will be hitting Metron master today which aren't entirely tested with my script yet, and that also soft requires centos7 (it really requires docker which isn't officially supported on centos6 but you can get it to work if you want. YMMV). If you want to alpha test my centos7 script, checkout the centos7 branch.

I worked on this some more today. Given all of the recent build changes to Metron master and the fact that ansible 2.0.0.2 is broken in numerous ways (pip install is broken, brew install is broken, etc.) I gave up and I'm focusing on the upgrade to ansible 2.2. The centos7 branch of my script does not work and will be abandoned.