Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

snort alerts

Highlighted

snort alerts

New Contributor

Hi - I have about 20 snort instances firing alerts from different parts of my network. How do I consume this in Metron? I have a full dev platform up and running on a single VM. All the snort instances are in different parts of the network that has connectivity to this VM.

5 REPLIES 5

Re: snort alerts

New Contributor

The alerts need to be published to the snort kafka topic, then Metron will take it from there. That said, full dev isn't really meant for ingesting high quantities of _real_ data, it is more for testing/poc.

Re: snort alerts

New Contributor

so do I just stream the alert logs from Snort to a TCP port in Metron? Not sure how to publish these logs to a Kafka topic that Metron understands.

Also, any guidelines around how I would go about productionizing this?

Re: snort alerts

New Contributor

There is some documentation for how to run this in a production capacity here. To get the logs to the right kafka topic, I would suggest using Nifi or something similar. HDP also comes with a `kafka-console-producer.sh` script which you can use for testing (example of use is here).

Re: snort alerts

New Contributor

so snort is running on different servers on the network. I still need to stream all the logs to node1 on the full-development deployment, correct?

Re: snort alerts

New Contributor

Realistically, if you have 20 servers sending logs to Metron VM which is intended just for development (and not actual use) you're going to run into resource exhaustion issues (not to mention, full-dev has some insecure defaults because it is not intended for prod use).

You should probably consider spinning up a snort VM and getting it to talk to your full-dev VM to get comfortable, and then work on building Metron on some hardware that can actually handle the appropriate load.

Don't have an account?
Coming from Hortonworks? Activate your account here