I configured Apache Metron full dev 0.3 but I don't push Snort, Bro, Yaf log to Metron Server. Can you help me?
As of version 0.3.1 we implemented sensor-stubs, which pushes sample bro, snort, and yaf data into metron by default when you spin up full-dev. Can you try that version instead? That would be the easiest way to see data in your full-dev cluster, and you can find the relevant information about the sensor-stubs here.
If you are pinned to 0.3.0 for some reason, you should be able to put bro logs onto the bro topic, snort logs onto the snort topic, or yaf logs onto the yaf topic in order to get them ingested, and then properly validate by running curl against elasticsearch (or just by looking in kibana). To push them onto those topics there are a lot of options, but you may want to look into some of the simple kafka producer scripts included in full-dev under /usr/hdp/current.
Install the Metron Bro plugin into your Bro install. This will push the Bro output into Kafka so that Metron can consume it.
You can use the Ansible deployment steps as instructions for one, simple way to pipe YAF and Snort output into Kafka. This is only suitable for small scale testing.
You're going to want to use something `yafzcbalance` for scaling YAF to higher throughput.
You can use Bro's load balancing mechanism to scale it to higher throughput.