Support Questions
Find answers, ask questions, and share your expertise

Is Metron suitable for monitoring the cluster that it is running on

Is Metron suitable for monitoring the cluster that it is running on

Contributor

I am trying to learn about the use cases for Metron. I want to be able to monitor the security of a particular system and give an auditor a way of browsing the security audit logs. Now the system concerned is itself a Hadoop cluster. Using that hadoop cluster to process and search through its own audit logs seems a bit circular to me. I am worried that if someone was able to get access to the system then they might be able to affect the Metron system in some way - perhaps obscuring their own unauthorised access.

Is this a valid concern? Should I only use Metron to analyse the security of other things?

1 REPLY 1

Re: Is Metron suitable for monitoring the cluster that it is running on

Hi @Alex McLintock first of all... great question!

There's no one "perfect" answer to this in my opinion, however here is my take at least.

Security is one of the areas where several organisations believe that there is a true need for a separate data lake for exactly the reasons you mention.

The other counter arguement could be that as long as you are feeding your data into a protected area of the datalake that your general users can't access, that is secure enough.

It's all about how you manage that risk, and what your company policy is around that, whether collection and analysis *HAS* to be on something separate or not.

Hope that helps, at least somewhat.

Many thanks.