I only took a quick look into this - it seems that as of Jun 3, 2014 AWS doesn't seem to support VT-x. ... View more

Not 100% sure, but seems like a resource constraints issue. Have you tried running this again, getting the same result? Also, what kind of resources (CPU, RAM, etc.) are you allocating to this? ... View more

I worked on this some more today. Given all of the recent build changes to Metron master and the fact that ansible 2.0.0.2 is broken in numerous ways (pip install is broken, brew install is broken, etc.) I gave up and I'm focusing on the upgrade to ansible 2.2. The centos7 branch of my script does not work and will be abandoned. ... View more

It builds whichever vagrant setup you choose, so the default quick dev, full, etc. Also note that I think some changes will be hitting Metron master today which aren't entirely tested with my script yet, and that also soft requires centos7 (it really requires docker which isn't officially supported on centos6 but you can get it to work if you want. YMMV). If you want to alpha test my centos7 script, checkout the centos7 branch. ... View more

What version of CentOS? If you just have a CentOS VM and want to install quick-dev of full-dev, you can run my script here, but it only works on 6.8. ... View more

What cstella is suggesting should work, but you can also filter upstream in bro using a predicate. I can give more help later if necessary but I first suggest you read and understand the below post and look at my bro script. My script filters IPv6 traffic for Conn, HTTP, and dns, and also filters all non-internet traffic (you can simply remove that part of the logic for your situation) if you are using the Kafka plugin. http://blog.bro.org/2012/02/filtering-logs-with-bro.html https://github.com/JonZeolla/Development/blob/master/bro/logs-to-kafka.bro Hope that helps. ... View more

Sorry for formatting, I'm mobile. What is the error, and what's your host OS? Try running the following where you run `vagrant up` sed -i '/\[ssh_connection\]/a scp_if_ssh = True' ./ansible.cfg ... View more

@Neha Sinha's solution worked, however that way it still goes through the enrichment tier, it just goes kafkaSpout -> Split -> Join -> Split -> Join -> Output. There is another way to do this that completely skips the enrichment tier and writes from the parser's topic (bro) directly to indexing via: "parserConfig": { "kafka.topic" : "indexing" } This exists in `/usr/metron/0.2.0BETA/config/zookeeper/parsers/bro.json` and can be pushed via ` /usr/metron/0.2.0BETA/bin/zk_load_configs.sh -z $zk -m PUSH -i /usr/metron/0.2.0BETA/config/zookeeper/` ... View more

I did this and it worked - I just wanted to clarify for others that when you make the backup of your .json file, it needs to be in a different directory than under /usr/metron/0.2.0BETA/config/zookeeper/. I made a backup by simply copying bro.json to bro.json.bkp and when I ran the PUSH command, I ended up with both a "bro" and a "bro.json" znode. I assume this is because the script gets all files in those dirs and removes the last extension ("bro.json" becomes "bro", and "bro.json.bkp" becomes "bro.json"), then uses that as the name on create. ... View more