I am trying to learn about the use cases for Metron. I want to be able to monitor the security of a particular system and give an auditor a way of browsing the security audit logs. Now the system concerned is itself a Hadoop cluster. Using that hadoop cluster to process and search through its own audit logs seems a bit circular to me. I am worried that if someone was able to get access to the system then they might be able to affect the Metron system in some way - perhaps obscuring their own unauthorised access.
Is this a valid concern? Should I only use Metron to analyse the security of other things?