Re: Just starting with Metron and have few queries

blason16 · ‎09-24-2018

Hi All,

I am pretty novice with Metron and just starting with this. However I am very well versed with ELK stack and have played a lot with ELK based SIEMs. Though I have few queries regarding Metron?

Are there parsers readily available for network devices like Palo Alto, CISCO, CheckPoint, Fortinet, Routers etc?
Its because I guess logstash does not work Metron [I may be wrong]
Where can I get a sizing guide for around say 500 users organization?
Is there any SOAR capability availiable with Metron as well as Opensource ML capability?

TIA

Blason R

blason16 · ‎09-25-2018

Hi team,

Any clue on parsers? Can someone please update?

rakesh_satheesa · ‎09-25-2018

@Blason R

Yes....some parsers(Palo Alto,sourcefire,Fireeye,etc) are readily available on Metron.

You can view list of readily available parsers from Metron Management UI >> Create Sensor >> Parser Type

CSV parser can use with any comma seperated logs and Grok parser can use with any log by writing custom grok patterns.

Also you can create java custom parser for better performance and customization (deploy custom parser jar file to "METRN_HOME/parser_contrib" and restart metron rest,then you can able to view that custom parser in the list on metron management ui)

Refer this link for more about this

https://github.com/apache/metron/tree/master/metron-platform/metron-parsers

blason16 · ‎09-25-2018

Awesome!! Thanks for the reply.

BTW is there any sizing guide available for Metron?