Support Questions

anilcseiitm2006 · ‎03-15-2018

I am trying implement POC with usecase as below

I have windows log data being loaded to Indexing topic. I want to define a profiler which checks for failed logons in 15 minutes time frame and generate alerts in metron UI when failed logons count goes beyond threshold level.

For that I just started trying to define logon failed count profiler as below

{
	"profiles": [
	{
		"profile": "demo_iplogon_failed",
		"foreach": "ip_address",
		"onlyif": "source.type == 'demo_windowsnxlog' and event_id == 4625",
		"init": {
			"count": "0"
		},
		"update": {
			"count": "count + 1"
		},
		"result": {
			"triage": {
				"logon_failed_count": "count"
			}
		}
	}
	]
}

But when I try to run the profiler, it is giving me an exception as below

[!] Assignment expression failed
java.lang.IllegalArgumentException: Assignment expression failed
        at org.apache.metron.stellar.common.shell.StellarResult.error(StellarResult.java:115)
        at org.apache.metron.stellar.common.shell.specials.AssignmentCommand.execute(AssignmentCommand.java:82)
        at org.apache.metron.stellar.common.shell.DefaultStellarShellExecutor.execute(DefaultStellarShellExecutor.java:252)
        at org.apache.metron.stellar.common.shell.cli.StellarShell.execute(StellarShell.java:357)
        at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

Can someone help me to figure out what is the problem in above profiler configuration?

Also, is there any other better way to implement my usecase with metron?

nallen · ‎03-16-2018

Hi Anil -

One problem here is that a failed assignment expression in the REPL does not provide a helpful error message. I submitted a fix for this here https://github.com/apache/metron/pull/966. To work around that in the REPL, you can just do something like the following to test your Profiler definition; basically don't use assignment.

[Stellar]>>> conf := SHELL_EDIT(conf)
{
   "profiles":[
      {
         "profile":"demo_iplogon_failed",
         "foreach":"ip_address",
         "onlyif":"source.type == 'demo_windowsnxlog' and event_id == 4625",
         "init":{
            "count":"0"
         },
         "update":{
            "count":"count + 1"
         },
         "result":{
            "profile":"count",
            "triage":{
               "logon_failed_count":"count"
            }
         }
      }
   ]
}
[Stellar]>>>
[Stellar]>>> PROFILER_INIT(conf)

The issue with the profile definition, is that you don't have a 'result/profile' expression. The 'result/profile' expression which persists the data in HBase is required. Just add one like so below.

[Stellar]>>> conf
{
   "profiles":[
      {
         "profile":"demo_iplogon_failed",
         "foreach":"ip_address",
         "onlyif":"source.type == 'demo_windowsnxlog' and event_id == 4625",
         "init":{
            "count":"0"
         },
         "update":{
            "count":"count + 1"
         },
         "result":{
            "profile":"count",
            "triage":{
               "logon_failed_count":"count"
            }
         }
      }
   ]
}
[Stellar]>>> PROFILER_INIT(conf)
Profiler{1 profile(s), 0 messages(s), 0 route(s)}

View solution in original post

anilcseiitm2006 · ‎03-16-2018

Hi @asubramanian @nallen

do you guys please look the issue I am facing and help me!

nallen · ‎03-21-2018

Did my answer help? If so, please mark it so.

nallen · ‎03-16-2018

Hi Anil -

One problem here is that a failed assignment expression in the REPL does not provide a helpful error message. I submitted a fix for this here https://github.com/apache/metron/pull/966. To work around that in the REPL, you can just do something like the following to test your Profiler definition; basically don't use assignment.

[Stellar]>>> conf := SHELL_EDIT(conf)
{
   "profiles":[
      {
         "profile":"demo_iplogon_failed",
         "foreach":"ip_address",
         "onlyif":"source.type == 'demo_windowsnxlog' and event_id == 4625",
         "init":{
            "count":"0"
         },
         "update":{
            "count":"count + 1"
         },
         "result":{
            "profile":"count",
            "triage":{
               "logon_failed_count":"count"
            }
         }
      }
   ]
}
[Stellar]>>>
[Stellar]>>> PROFILER_INIT(conf)

The issue with the profile definition, is that you don't have a 'result/profile' expression. The 'result/profile' expression which persists the data in HBase is required. Just add one like so below.

[Stellar]>>> conf
{
   "profiles":[
      {
         "profile":"demo_iplogon_failed",
         "foreach":"ip_address",
         "onlyif":"source.type == 'demo_windowsnxlog' and event_id == 4625",
         "init":{
            "count":"0"
         },
         "update":{
            "count":"count + 1"
         },
         "result":{
            "profile":"count",
            "triage":{
               "logon_failed_count":"count"
            }
         }
      }
   ]
}
[Stellar]>>> PROFILER_INIT(conf)
Profiler{1 profile(s), 0 messages(s), 0 route(s)}

anilcseiitm2006 · ‎03-22-2018

@nallen thank you very much for the quick response. I was able to figure out the issue of adding profile to result and implemented!

Cloudera Community

Support Questions

Metron Profiler: java.lang.IllegalArgumentException: Assignment expression failed