Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Advanced Search

Metron 0.7.1 bro_parser topology not processing

nnat25191
Contributor

Created on ‎06-03-2019 07:37 PM - edited ‎08-17-2019 03:10 PM

Hi,

I've been struggling with this issue and hoping someone can shed some light here.

I'm running Metron 0.7.1 with Bro 2.5.5; Sensors yaf and snort are working and I can see the data in dashboard.

Bro is running; sending logs to Kafka topic "bro"; I can see lots of logs when I run the kafka-console-consumer.sh; however, when I check bro parser topology I got nothing.


I checked the storm worker log for bro and there were no error and it seems to be idle;

2019-06-03 14:27:56.199 o.a.k.c.p.ProducerConfig Thread-5-parserBolt-executor[8 8] [WARN] The configuration request.required.acks = 1 was supplied but isn't a known config.

2019-06-03 14:27:56.199 o.a.k.c.u.AppInfoParser Thread-5-parserBolt-executor[8 8] [INFO] Kafka version : 0.10.0.2.5.0.0-1245

2019-06-03 14:27:56.199 o.a.k.c.u.AppInfoParser Thread-5-parserBolt-executor[8 8] [INFO] Kafka commitId : dae559f56f07e2cd

2019-06-03 14:27:56.204 o.a.s.d.executor Thread-5-parserBolt-executor[8 8] [INFO] Prepared bolt parserBolt:(8)


I used the metron/bin/load_tool.sh to check the throughput of bro and I see numbers; why my bro parser in the storm is not picking up any?

Monitoring bro every 10000 ms

Summarizing over the last 5 monitoring periods (50000ms)

2019/06/03 15:31:33 - 10 eps throughput measured for bro (Mean: 10, Std Dev: 0)

2019/06/03 15:31:43 - 11 eps throughput measured for bro (Mean: 10, Std Dev: 0)

2019/06/03 15:31:53 - 6 eps throughput measured for bro (Mean: 9, Std Dev: 2)

2019/06/03 15:32:03 - 18 eps throughput measured for bro (Mean: 11, Std Dev: 4)

2019/06/03 15:32:13 - 3 eps throughput measured for bro (Mean: 9, Std Dev: 5)

2019/06/03 15:32:23 - 3 eps throughput measured for bro (Mean: 8, Std Dev: 6)

2019/06/03 15:32:33 - 4 eps throughput measured for bro (Mean: 6, Std Dev: 6)




109094-screen-shot-2019-06-03-at-32901-pm.png


Reply
592 Views
0 Kudos
1 REPLY 1

nnat25191
Contributor

Created ‎06-11-2019 04:27 PM

After more troubleshooting and by adding debug level to the storm topology, I'm seeing a continual of this message

2019-06-11 11:55:01.562 o.a.m.p.b.WriterHandler Thread-12-parserBolt-executor[5 5] [DEBUG] Flushing message queues older than their batchTimeouts

by default the topology.message.timeout.sec is 30

It looks like all my messages have been flushed. Does this mean my message is older than 30s? I thought it's reasonable to have messages that are older than 30s.

Please shine a light and thank you.

Reply
562 Views
0 Kudos
Don't have an account?
Register
Announcements
Community Announcements
Taking action on community member feedback - content discovery
What's New @ Cloudera
Cloudera DataFlow for the Public Cloud is now generally available on Microsoft Azure and supports Apache NiFi 1.15
What's New @ Cloudera
CDP Operational Database supports ephemeral storage on Azure
What's New @ Cloudera
CDP Operational Database (COD) is available on Google Cloud Platform (GCP) as Technical Preview
What's New @ Cloudera
CDP Operational Database provides HDFS as a storage option
View More Announcements