Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Metron/Elasticsearch not indexing new datasource

Labels:
ollie1
Explorer

Created on ‎07-12-2017 02:18 PM - edited ‎08-18-2019 02:28 AM

I have deployed the 10 node automated amazon AWS, using the ansible playbook.

Everything looks to be working OK, but a new data source I've added isn't showing up in elasticsearch. I'm a bit stumped at how to start debugging this.

The incoming flow looks like:

AuditD -> SYSLOG -> NiFi -> Kafka

It's then picked up in Kafka by the

20390-screen-shot-2017-07-12-at-150816.jpg

20391-screen-shot-2017-07-12-at-150822.png

20392-screen-shot-2017-07-12-at-150904.png

20393-screen-shot-2017-07-12-at-150924.png

Appreciate any tips to help figure out where my data is disappearing to!

Cheers

1,535 Views
0 Kudos
5 REPLIES 5

laurens
Explorer

Created ‎07-13-2017 09:35 PM

@Oliver Fletcher Shouldn't the index be called "auditd*" instead of "auditd-*"?

Also, if you go to your Storm UI (http://<STORM HOST>:8744/index.html), do you see a auditd topology?

1,048 Views
0 Kudos

ollie1
Explorer

Created ‎07-14-2017 10:21 AM

@Laurens Vets - unfortunately auditd* didn't work, elasticsearch is not listing any new indexes.

I can confirm that adding the new data type creates a new auditd topology, and it looks to be running without errors, acknowledging messages. The enrichment topology is also running without issues (which I believe is responsbile for indexing?)

1,048 Views
0 Kudos

akhil_kundhavar
New Contributor

Created ‎08-23-2017 09:29 PM

@Oliver Fletcher Were you able to solve this issue? I'm currently facing a very similar issue.

DataSource 1 parsed/indexed just fine with the same workflow CEF(logger) -> SYSLOG -> NiFi -> Kafka.

When I added the second source DataSource 2 - CEF(logger) -> SYSLOG -> NiFi -> Kafka. Seems to parse just fine but I'm not able to see any indexes on ES. I checked the ES logs, storm logs, Strom UI and ES UI - don't see any errors either.

The weird part is, the HDFS index writer has records avaible hdfs dfs -ls /apps/metron/indexing/indexed/ for datasource 2. I did double check the ES writer and it's enabled. Except when I look at the shards, there are no indexes fro Datasource2.

1,048 Views
0 Kudos

laurens
Explorer

Created ‎08-28-2017 04:10 PM

@Oliver Fletcher Did you start the new sensor in the Metron UI?

1,048 Views
0 Kudos

ollie1
Explorer

Created ‎08-29-2017 09:45 PM

Yes - going back to basics fixed the issue:

1. I updated ambari parsers configuration to include only the auditd parser
2. Ensured timestampField: timestamp was included in parserConfig
3. Restarted parser's service in ambari's metron service

I then started to see data being added to the enrichments kafka topic.

1,048 Views
0 Kudos
Don't have an account?
Register
Announcements
Product Announcements
CDP Public Cloud Release Summary: April 2022
What's New @ Cloudera
Unifying Analytics in Cloudera Data Warehouse
What's New @ Cloudera
Cloudera Logging is now available in CDP Private Cloud Base 7.1.7 SP1
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.27 for Impala Released
Product Announcements
[ANNOUNCE] Cloudera JDBC Driver 2.6.19 for Apache Hive Released
View More Announcements