Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to push Snort, Bro, YAF log to Metron

Labels:
adroot16
Explorer

Created ‎05-24-2017 09:07 AM

Hi everyone.

I configured Apache Metron full dev 0.3 but I don't push Snort, Bro, Yaf log to Metron Server. Can you help me?

2,852 Views
0 Kudos
5 REPLIES 5

zeolla
Explorer

Created ‎05-24-2017 06:58 PM

As of version 0.3.1 we implemented sensor-stubs, which pushes sample bro, snort, and yaf data into metron by default when you spin up full-dev. Can you try that version instead? That would be the easiest way to see data in your full-dev cluster, and you can find the relevant information about the sensor-stubs here.

If you are pinned to 0.3.0 for some reason, you should be able to put bro logs onto the bro topic, snort logs onto the snort topic, or yaf logs onto the yaf topic in order to get them ingested, and then properly validate by running curl against elasticsearch (or just by looking in kibana). To push them onto those topics there are a lot of options, but you may want to look into some of the simple kafka producer scripts included in full-dev under /usr/hdp/current.

1,427 Views
0 Kudos

adroot16
Explorer

Created ‎05-25-2017 08:14 AM

Hi @Jon Zeolla. Thank you for your answer.

I set up separate servers Snort, YAF, Bro. How to I ingest log from that servers into metron?

1,427 Views
0 Kudos

nallen
Rising Star

Created ‎05-30-2017 02:21 PM

Install the Metron Bro plugin into your Bro install. This will push the Bro output into Kafka so that Metron can consume it.

You can use the Ansible deployment steps as instructions for one, simple way to pipe YAF and Snort output into Kafka. This is only suitable for small scale testing.

You're going to want to use something `yafzcbalance` for scaling YAF to higher throughput.

You can use Bro's load balancing mechanism to scale it to higher throughput.

1,427 Views

adroot16
Explorer

Created ‎05-31-2017 04:30 AM

Hi @nallen

Thank you. I install YAF, Snort on other nodes. How to push log data to Metron.

Can you help me?

1,427 Views
0 Kudos

adroot16
Explorer

Created ‎06-05-2017 11:10 AM

I build YAF on node1 and Metron on node2. How to push YAF event to Metron? Can you suggest for me?

1,427 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements