Hi - I have about 20 snort instances firing alerts from different parts of my network. How do I consume this in Metron? I have a full dev platform up and running on a single VM. All the snort instances are in different parts of the network that has connectivity to this VM.
The alerts need to be published to the snort kafka topic, then Metron will take it from there. That said, full dev isn't really meant for ingesting high quantities of _real_ data, it is more for testing/poc.
so do I just stream the alert logs from Snort to a TCP port in Metron? Not sure how to publish these logs to a Kafka topic that Metron understands.
Also, any guidelines around how I would go about productionizing this?
so snort is running on different servers on the network. I still need to stream all the logs to node1 on the full-development deployment, correct?
Realistically, if you have 20 servers sending logs to Metron VM which is intended just for development (and not actual use) you're going to run into resource exhaustion issues (not to mention, full-dev has some insecure defaults because it is not intended for prod use).
You should probably consider spinning up a snort VM and getting it to talk to your full-dev VM to get comfortable, and then work on building Metron on some hardware that can actually handle the appropriate load.