Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Metron Alerts UI

Metron Alerts UI

Explorer

Hello,

can you please help me to resolve following two issues with Metron Alert UI:

1. UI shows all records regardless of "is_alert" flag, for example this record will be shown on the page:

curl -XPOST "http://10.10.110.26:9200/snort_index/snort_doc" -d '{"test": "data"}'

2. I'm not able to add a comment or change the status for a selected record, please see the attached screenshot.

Thanks.

metron-alerts-ui.png

3 REPLIES 3
Highlighted

Re: Metron Alerts UI

New Contributor
@nallen

@asubramanian

Can you please help us how to configure metron alerts UI to make it functional.

We are able to see the events in the alerts-ui, able to filter with search strings.

But unable to mark event as dismiss/evaluate/resolved etc, unable to comment on events.

Re: Metron Alerts UI

Super Collaborator
@Anil Reddy, @Maxim Dashenko

Could you guys give this a try with from the master? It seems to work fine for me. I recall that a similar issue was addressed in the recent past (I am unable to find the PR number, though).

Regarding #1 in the question, it is an expected behavior. The Alerts UI is expected to fetch all indices created in the Elasticsearch, so long as the event source has the nested alert field definition present in the event template. Here's an example:

$ curl -XGET 'http://node1:9200/_template/squid_index' -d
<snip>
        "alert": {          "type": "nested"        },
<snip>

So, in essence, the Alerts UI is more like an investigator UI. The name "Alerts" is a bit misleading.

Re: Metron Alerts UI

Explorer

We are using master. The patch command returns "Bad Request" and it's not clear what causes this issue:

curl 'http://10.10.110.244:4201/api/v1/update/patch' -X PATCH -H 'Cookie: JSESSIONID=190517BDFA8D46734D33817C091AEE95' -H 'Origin: http://10.10.110.244:4201' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8,ru;q=0.6' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://10.10.110.244:4201/alerts-list(dialog:details/squid/a56c4cf8-0f82-4d49-9daa-78463cf429e8/squid_index_2018.04.19.10)' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' --data-binary $'{\n  "patch": [\n    {\n      "op": "add",\n      "path": "/alert_status",\n      "value": "RESOLVE"\n    }\n  ],\n  "guid": "a56c4cf8-0f82-4d49-9daa-78463cf429e8",\n  "sensorType": "squid"\n}' --compressed -v
*   Trying 10.10.110.244...
* Connected to 10.10.110.244 (10.10.110.244) port 4201 (#0)
> PATCH /api/v1/update/patch HTTP/1.1
> Host: 10.10.110.244:4201
> Cookie: JSESSIONID=190517BDFA8D46734D33817C091AEE95
> Origin: http://10.10.110.244:4201
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8,ru;q=0.6
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
> Content-Type: application/json
> Accept: application/json, text/plain, */*
> Referer: http://10.10.110.244:4201/alerts-list(dialog:details/squid/a56c4cf8-0f82-4d49-9daa-78463cf429e8/squi...
> X-Requested-With: XMLHttpRequest
> Connection: keep-alive
> Content-Length: 182
> 
* upload completely sent off: 182 out of 182 bytes
< HTTP/1.1 400 Bad Request
< X-Powered-By: Express
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< x-frame-options: DENY
< content-length: 0
< date: Thu, 19 Apr 2018 15:07:32 GMT
< connection: close
< 
* Closing connection 0