Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

metron alerts UI is empty

metron alerts UI is empty

New Contributor

I have ingested squid telemtery into metron and can see alerts in the kibana dashboard (I have injested threat intel and setup risk scoring). However the metron alerts UI is empty. Do I need additional configuration for these alerts to show up in the alerts UI?

16 REPLIES 16
Highlighted

Re: metron alerts UI is empty

Rising Star

Only 'alerts' will appear in the Alerts UI. So what is an alert then, you ask?

Well, not all telemetry in Metron is treated as an alert. Only telemetry that is specifically marked with a field { "is_alert": "true" } is treated as an alert. This gives the user the flexibility to define which telemetry will go through additional threat triage processing.

In your case, the Squid telemetry does not have this field and so is not treated as an alert. For testing purposes, you can add this field to your Squid telemetry by creating a simple enrichment that adds the field "is_alert" and sets it to "true".

Hope this makes sense.

Re: metron alerts UI is empty

New Contributor

The squid telemetry does have is_alert true.that is the first thing I checked. I have done threat intel enrichment and is_alert is set to true based on the threat intel

Re: metron alerts UI is empty

Rising Star

Do you see anything in the Alerts UI? Or is just this specific Squid data that is missing? What version of Metron are you running? How did you deploy Metron?

Re: metron alerts UI is empty

New Contributor

Nothing at all in the alerts UI. I see 5 alerts in kibanan and 12 non alert events. But alerts UI is empty. I am running 1.3.1.0-37 installed through the ambari mpack

Re: metron alerts UI is empty

New Contributor

hcp 1.3.1.0-37

Re: metron alerts UI is empty

New Contributor

I've been facing same issue, metron-alarms-ui wasn't receiving any alarms, after applying changes to template and adding field "alert", type nested, metron-alarms-ui started receiving some messages(little bit messed up, which is next thing to understand), but looking at your template, i notice that field is_alert is type string, while in my schema it is boolean, maybe this makes some problems.

Re: metron alerts UI is empty

New Contributor

I am running 1.3.1.0-37. Deployed it through the ambari mpack

Re: metron alerts UI is empty

Super Collaborator
@jnarayanan

You might be running into METRON-1283, which is fixed in more recent versions of HCP. You can confirm as follows - Go to http://<es-master-node>:9200/squid*/_mappings, and look for an "alerts" field. If you are missing this field from the mapping, then it is likely the reason for Alerts UI to be empty.

In order to fix the issue, follow these steps:

* Clear all existing Elasticsearch indices

* Go to Ambari UI -> Services -> Metron -> 'Service Actions' dropdown -> Elasticsearch Template Install

* Re-ingest data into 'squid' telemetry.

And you should now be able to see entries in the Alerts UI.

Re: metron alerts UI is empty

New Contributor

I tried re-installing the elastic template. Still no luck

Don't have an account?
Coming from Hortonworks? Activate your account here