Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

No Alerts on Metron UI

Highlighted

No Alerts on Metron UI

New Contributor

Installed HDP 3.1.4 on ambari 2.7.3 with HCP 2.0.0.0-4 for Typosquatting usecase on a single node of 8 cores and 30 GB RAM. Also installed Apache Nifi for publishing squid logs to Kafka.

 

As i am new, I have followed github guide from : https://github.com/apache/metron/tree/master/use-cases/typosquat_detection

 

All my processes have started and running green in ambari UI.

 
 
 

Logs via Nifi Kafka Publish are working fine. Sensor is able to detect traffic.

Data flows via Squid SensorData flows via Squid Sensor

 

Storm UI has active supervisor for topology execution.

Storm UIStorm UIStorm UI details for Squid TopologyStorm UI details for Squid Topology

 

Sample header extract for creation of squid_index

Sample header for  Index templateSample header for Index template

 

I am not able to add squid_index* pattern in Kibana!

Not able to add squid_index*Not able to add squid_index*

 

What i feel is because of this, since there is no index creation in Elastic Search and thus no alert in Alert UI of Metron UI

 
 
GET /_cat/indices?v 

:

No  new index created.No new index created.No Logs alert in UINo Logs alert in UI

 

I had cleared /var/logs/metron/metron-rest.log earlier and there was never any error reported in this log.

 

Am i missing some thing?

3 REPLIES 3
Highlighted

Re: No Alerts on Metron UI

Master Collaborator

@saqie have you created the indexes in elasticsearch?   What was the output of the index template creation?  Ok, or other?   In the indices screen shot can see there are no squid* indexes there.  So you would need to investigate why its not getting created.   

 

During execution you can also monitor storm, kibana, and elasticsearch logs.  You may find additional details there.

 


 


If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  


 


Thanks,



Steven

Re: No Alerts on Metron UI

New Contributor

Output after running command for creation of index gives me

 

{
    "acknowledged": true
}

 

Also, if i run :

 

GET _template/

 

I can see squid_index in the list where others like:  

 

yaf_index, metaalert_index, error_index, .kibana, snort_index, bro_index

 

is present!

 

However, adding an index pattern is not possible as per earlier screenshot in question description.

Since, I am new to this, can you help me with locations of various logs i need to check?

Highlighted

Re: No Alerts on Metron UI

Explorer

Were you able to get this resolved? I am having the same issue now

Don't have an account?
Coming from Hortonworks? Activate your account here