About nallen

nallen · ‎07-09-2018

You have only configured the plugin to push HTTP logs to Kafka; not Conn logs. If you expect to push the Conn logs, then configure those to be sent like Example 3 in the README. Or just start with a simpler configuration like this, which will send only the Conn logs. @load packages/metron-bro-plugin-kafka/Apache/Kafka redef Kafka::logs_to_send = set(Conn::LOG); redef Kafka::topic_name = "bro"; redef Kafka::kafka_conf = table( ["metadata.broker.list"] = "kafkaip:6667") );

nallen · ‎06-29-2018

Since my original comment (from Sept 2017), we have split-out the Metron Mpack from the Elasticsearch MPack. They are now separate packs that each need installed into Ambari. Once you install the Elasticsearch MPack, you will be given the option to install and manage Elasticsearch and Kibana from Ambari.

nallen · ‎04-17-2018

That is probably a transient issue that you can work through by simply retrying. On the command line, simply run `vagrant provision`. See the README for more information. I believe this is documented in the README. I would also suggest trying a more recent version of Metron.

nallen · ‎03-23-2018

Please open a separate question if you have issues with Threat Triage.

nallen · ‎03-22-2018

> I would like to figure out the reason for alerts not turning up in the metron-alerts UI ? I believe it is because the Alerts UI has not been configured to look at the `profiler_index_*` indices that have been created. Right now, the Alerts UI only looks at the indices that have been created for each sensor. > I am seeing is_alerts=”true” for all the records under profiler_index_*. The `is_alerts` value is set to true when those messages are generated by the Profiler. The purpose of sending messages back into Kafka from the Profiler, is to enable use of the Threat Triage mechanism. That is why they are always set to true. > How can I configure to set is_alert=”true” only when the count exceeds the threshold value ? You would do this by defining a rule in Threat Triage that increase the threat score based on that count exceeding a threshold.

nallen · ‎03-21-2018

Did my answer help? If so, please mark it so.

nallen · ‎03-16-2018

Hi Anil - One problem here is that a failed assignment expression in the REPL does not provide a helpful error message. I submitted a fix for this here https://github.com/apache/metron/pull/966. To work around that in the REPL, you can just do something like the following to test your Profiler definition; basically don't use assignment. [Stellar]>>> conf := SHELL_EDIT(conf) { "profiles":[ { "profile":"demo_iplogon_failed", "foreach":"ip_address", "onlyif":"source.type == 'demo_windowsnxlog' and event_id == 4625", "init":{ "count":"0" }, "update":{ "count":"count + 1" }, "result":{ "profile":"count", "triage":{ "logon_failed_count":"count" } } } ] } [Stellar]>>> [Stellar]>>> PROFILER_INIT(conf) The issue with the profile definition, is that you don't have a 'result/profile' expression. The 'result/profile' expression which persists the data in HBase is required. Just add one like so below. [Stellar]>>> conf { "profiles":[ { "profile":"demo_iplogon_failed", "foreach":"ip_address", "onlyif":"source.type == 'demo_windowsnxlog' and event_id == 4625", "init":{ "count":"0" }, "update":{ "count":"count + 1" }, "result":{ "profile":"count", "triage":{ "logon_failed_count":"count" } } } ] } [Stellar]>>> PROFILER_INIT(conf) Profiler{1 profile(s), 0 messages(s), 0 route(s)}

nallen · ‎12-14-2017

Do you see anything in the Alerts UI? Or is just this specific Squid data that is missing? What version of Metron are you running? How did you deploy Metron?

nallen · ‎12-13-2017

Only 'alerts' will appear in the Alerts UI. So what is an alert then, you ask? Well, not all telemetry in Metron is treated as an alert. Only telemetry that is specifically marked with a field { "is_alert": "true" } is treated as an alert. This gives the user the flexibility to define which telemetry will go through additional threat triage processing. In your case, the Squid telemetry does not have this field and so is not treated as an alert. For testing purposes, you can add this field to your Squid telemetry by creating a simple enrichment that adds the field "is_alert" and sets it to "true". Hope this makes sense.

nallen · ‎12-12-2017

I would guess that you have not installed the Hostmanager Vagrant Plugin. Make sure that you have all of these prerequisites installed. In that same README there are simple instructions for getting the prerequisites installed on a Mac. If that does not work, then please provide more information. What platform are you running on? What version of Metron are you running? What directory are you running the 'vagrant up' command in? Providing the output of running 'metron-deployment/scripts/platform-info.sh' would also be very helpful.

Online	Offline
Last Visited	‎02-17-2021 10:33 AM

Date Registered	‎03-23-2016 02:24 PM
Last Visited	‎02-17-2021 10:33 AM
Total Messages Posted	56
Total Kudos Received	20

Re: Metron Profiler: java.lang.IllegalArgumentExce...

Re: why is stellar returning empty profile values?

Re: Pcap data index to ElasticSearch

Re: Metron: ingest PCAP files

Re: Fastcapa Test Environment not work in Metron 0...

Re: metron-bro-kafka not producing logs

Re: How to start Elasticsearch in HCP-Ambari-Mpack...

Re: Metron 0.3.1 Install on Ubuntu/Debian single-n...

Re: Metron Alert UI: Alerts not appearing in merto...

Re: Metron Alert UI: Alerts not appearing in merto...

Re: Metron Profiler: java.lang.IllegalArgumentExce...

Re: Metron Profiler: java.lang.IllegalArgumentExce...

Re: metron alerts UI is empty

Re: metron alerts UI is empty

Re: Taking an error "* Unknown configuration secti...