Anand Subramanian created METRON-1283:
-----------------------------------------
Summary: Install Elasticsearch template as a part of the mpack
startup scripts
Key: METRON-1283
URL: https://issues.apache.org/jira/browse/METRON-1283
Project: Metron
Issue Type: Bug
Reporter: Anand Subramanian
Assignee: Anand Subramanian
For a Metron multi-node deployment using mpack, the Elasticsearch template is
required to be installed manually post-setup. These templates are required for
the proper working of, for e.g. the Alerts UI.
In the event that these templates are not installed, and if data is ingested,
these would not be shown in the Alerts UI, since there would be missing fields
without the template files (E.g. snort alert indices are not displayed in the
Alerts UI, since it is missing the "alerts" field from the mapping). In such a
case, one needs to install the templates, delete all indices for the given
parser and re-ingest data again into the parser for it to appear in the Alerts
UI.
Further, the indices from all the parsers will have to be deleted and
re-ingested again which could be a tedious job in the event that this step was
missed out by chance. I have also seen other ill-effects from having stale
indices for parsers that was created before template install.
While documenting the template installation is a good practice, nothing would
more failsafe than installing the template as a part of the mpack startup
scripts itself.
Note that this issue would not be seen on vagrant deployments, since the
'load_web_templates' role would trigger the installation automatically.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
