check all your sensor configs....the top few lines are below. Remove the invalidwriterclassname and see if that solves the problem "parserClassName": "org.apache.metron.parsers.bro.BasicBroParser", "filterClassName": null, "sensorTopic": "bro", "writerClassName": null, "errorWriterClassName": null, "invalidWriterClassName": null, ... View more

how exactly are you starting bro? I was doing bro -i eth0 & . and nothing got posted to kafka. I changed it to bro -i eth0 /usr/local/bro/share/bro/site/local.bro & . and the messages started appearing in kafka ... View more

I tried changing the is_alert field in the template to boolean and deleted and recreated the index. But no luck. I already have alert as a nested field in my template ... View more

{"squid_index_2017.12.14.09":{"mappings":{"squid_doc":{"_timestamp":{"enabled":true},"properties":{"action":{"type":"string","index":"not_analyzed"},"adapter:simplehbaseadapter:begin:ts":{"type":"string"},"adapter:simplehbaseadapter:end:ts":{"type":"string"},"adapter:threatinteladapter:begin:ts":{"type":"string"},"adapter:threatinteladapter:end:ts":{"type":"string"},"alert":{"type":"nested"},"bytes":{"type":"integer"},"code":{"type":"string","index":"not_analyzed"},"domain_without_subdomains":{"type":"string","index":"not_analyzed"},"elapsed":{"type":"integer"},"enrichmentjoinbolt:joiner:ts":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:domain":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:domain_created_timestamp":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:home_country":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:owner":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:registrar":{"type":"string"},"enrichmentsplitterbolt:splitter:begin:ts":{"type":"string"},"enrichmentsplitterbolt:splitter:end:ts":{"type":"string"},"full_hostname":{"type":"string","index":"not_analyzed"},"guid":{"type":"string"},"ip_dst_addr":{"type":"string","index":"not_analyzed"},"ip_src_addr":{"type":"string"},"is_alert":{"type":"string"},"method":{"type":"string","index":"not_analyzed"},"original_string":{"type":"string"},"source:type":{"type":"string","index":"not_analyzed"},"threat:triage:rules:0:comment":{"type":"string"},"threat:triage:rules:0:name":{"type":"string"},"threat:triage:rules:0:reason":{"type":"string"},"threat:triage:rules:0:score":{"type":"long"},"threat:triage:rules:1:comment":{"type":"string"},"threat:triage:rules:1:name":{"type":"string"},"threat:triage:rules:1:reason":{"type":"string"},"threat:triage:rules:1:score":{"type":"long"},"threat:triage:score":{"type":"double"},"threatinteljoinbolt:joiner:ts":{"type":"string"},"threatintels:hbaseThreatIntel:domain_without_subdomains:zeusList":{"type":"string"},"threatintelsplitterbolt:splitter:begin:ts":{"type":"string"},"threatintelsplitterbolt:splitter:end:ts":{"type":"string"},"timestamp":{"type":"date","format":"epoch_millis"},"url":{"type":"string"}}}}}} ... View more

properties action type "string" index "not_analyzed" adapter:geoadapter:begin:ts type "string" adapter:geoadapter:end:ts type "string" adapter:stellaradapter:begin:ts type "string" adapter:stellaradapter:end:ts type "string" bytes type "integer" code type "string" index "not_analyzed" domain_without_subdomains type "string" index "not_analyzed" elapsed type "integer" enrichmentjoinbolt:joiner:ts type "string" enrichments:geo:ip_dst_addr:city type "string" enrichments:geo:ip_dst_addr:country type "string" enrichments:geo:ip_dst_addr:dmaCode type "string" enrichments:geo:ip_dst_addr:latitude type "string" enrichments:geo:ip_dst_addr:locID type "string" enrichments:geo:ip_dst_addr:location_point type "string" enrichments:geo:ip_dst_addr:longitude type "string" enrichments:geo:ip_dst_addr:postalCode type "string" enrichmentsplitterbolt:splitter:begin:ts type "string" enrichmentsplitterbolt:splitter:end:ts type "string" extra type "string" full_hostname type "string" index "not_analyzed" guid type "string" ip_dst_addr type "ip" ip_dst_port type "integer" ip_src_addr type "ip" ip_src_port type "integer" is_malicious type "string" method type "string" index "not_analyzed" original_string type "string" source:type type "string" index "not_analyzed" threatinteljoinbolt:joiner:ts type "string" threatintelsplitterbolt:splitter:begin:ts type "string" threatintelsplitterbolt:splitter:end:ts type "string" timestamp type "date" format "epoch_millis" url type "string" ... View more

I tried re-installing the elastic template. Still no luck ... View more

hcp 1.3.1.0-37 ... View more

Nothing at all in the alerts UI. I see 5 alerts in kibanan and 12 non alert events. But alerts UI is empty. I am running 1.3.1.0-37 installed through the ambari mpack ... View more

I am running 1.3.1.0-37. Deployed it through the ambari mpack ... View more

The squid telemetry does have is_alert true.that is the first thing I checked. I have done threat intel enrichment and is_alert is set to true based on the threat intel ... View more

to get around this error go to /etc/yum.repos.d and mv the file sandbox.repo out of this folder into some other folder and then do the yum install ... View more