[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074620#comment-16074620 ] ASF GitHub Bot commented on METRON-508: --- Github user asfgit closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16071475#comment-16071475 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 I spotted a duplicate in taking a scan of the template, so I ran `grep '": {' metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template | sort | uniq -c | grep -v 1` to make sure that was the only one. I fixed it and pushed things up, along with other minor tweaks - Travis was successful so I plan to merge soon. I also put some thoughts for a follow-on PR in [METRON-1010](https://issues.apache.org/jira/browse/METRON-1010). > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068760#comment-16068760 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 Last try before I merge in #624 and make it a dependancy. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068679#comment-16068679 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068678#comment-16068678 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068568#comment-16068568 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068567#comment-16068567 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16068381#comment-16068381 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16067150#comment-16067150 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16067151#comment-16067151 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16067039#comment-16067039 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16067038#comment-16067038 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16066955#comment-16066955 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16065303#comment-16065303 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16057739#comment-16057739 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 @nickwallen So, I'm not entirely done with the documentation but I pushed it out for a quick, general review. In doing this, I noticed that some new default-on fields were added with the release of 2.5/2.5.1 (for example, `server_appdata` in [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) was added with 2.5). For now, I'm going to ignore those. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056245#comment-16056245 ] ASF GitHub Bot commented on METRON-508: --- Github user nickwallen commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r123058316 --- Diff: metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template --- @@ -238,6 +238,538 @@ "qtype_name": { "type": "string", "index": "not_analyzed" +}, +"analyzer": { + "type": "string", + "index": "not_analyzed" +}, +"failure_reason": { + "type": "string", + "index": "not_analyzed" +}, +"user": { + "type": "string", + "index": "not_analyzed" +}, +"password": { + "type": "string", + "index": "not_analyzed" +}, +"command": { + "type": "string", + "index": "not_analyzed" +}, +"arg": { + "type": "string", + "analyzer": "simple" +}, +"mime_type": { + "type": "string", + "analyzer": "simple" +}, +"file_size": { + "type": "long" +}, +"reply_code": { + "type": "integer" +}, +"reply_msg": { + "type": "string", + "index": "not_analyzed" +}, +"data_channel:passive": { + "type": "boolean" +}, +"data_channel:orig_h": { + "type": "ip" +}, +"data_channel:resp_h": { + "type": "ip" +}, +"data_channel:resp_p": { + "type": "integer" +}, +"cwd": { + "type": "string", + "analyzer": "simple" +}, +"passive": { + "type": "boolean" +}, +"capture_password": { + "type": "boolean" +}, +"fuid": { + "type": "string", + "index": "not_analyzed" +}, +"conn_uids": { + "type": "string", + "analyzer": "simple" +}, +"source": { + "type": "string", + "index": "not_analyzed" +}, +"depth": { + "type": "integer" +}, +"analyzers": { + "type": "string", + "analyzer": "simple" +}, +"filename": { + "type": "string", + "index": "not_analyzed" +}, +"duration": { + "type": "float" +}, +"local_orig": { + "type": "boolean" +}, +"is_orig": { + "type": "boolean" +}, +"seen_bytes": { + "type": "long" +}, +"total_bytes": { + "type": "long" +}, +"missing_bytes": { + "type": "long" +}, +"overflow_bytes": { + "type": "long" +}, +"timedout": { + "type": "boolean" +}, +"parent_fuid": { + "type": "string", + "index": "not_analyzed" +}, +"md5": { + "type": "string", + "index": "not_analyzed" +}, +"sha1": { + "type": "string", + "index": "not_analyzed" +}, +"sha256": { + "type": "string", + "index": "not_analyzed" +}, +"port_num": { + "type": "integer" +}, +"subject": { + "type": "string", + "analyzer": "simple" +}, +"issuer_subject": { + "type": "string", + "analyzer": "simple" +}, +"serial": { + "type": "string", + "index": "not_analyzed" +}, +"helo": { + "type": "string", + "analyzer": "simple" +}, +"mailfrom": { + "type": "string", + "analyzer": "simple" +}, +"rcptto": { + "type": "string", + "analyzer": "simple" +}, +"date": { + "type": "string", + "index": "not_analyzed" +}, +"from": { + "type": "string", + "analyzer": "simple" +
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056241#comment-16056241 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056240#comment-16056240 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056224#comment-16056224 ] ASF GitHub Bot commented on METRON-508: --- Github user ottobackwards commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r123055525 --- Diff: metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template --- @@ -238,6 +238,538 @@ "qtype_name": { "type": "string", "index": "not_analyzed" +}, +"analyzer": { + "type": "string", + "index": "not_analyzed" +}, +"failure_reason": { --- End diff -- I'm sorry if this is left field but. What if, we provide more than one 'example' template in the bro parser extension, and not try to come up with the perfect configuration? Also - if and when 777 hits and we move on to 'create an instance of a parser - clone and edit configurations' they can use those samples to do so. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056124#comment-16056124 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056122#comment-16056122 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r123040458 --- Diff: metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template --- @@ -238,6 +238,538 @@ "qtype_name": { "type": "string", "index": "not_analyzed" +}, +"analyzer": { + "type": "string", + "index": "not_analyzed" +}, +"failure_reason": { --- End diff -- Right, I considered both options, and implemented option 2 at one point, but I removed the comments because of the field name collisions (i.e. two separate bro logs with an overlapping field name). While reading through the template, it was confusing that a given section wouldn't contain all of the fields for a specific log, because they were addressed earlier in the template under another log's section. I would prefer to merge this in as-is, and address the collision problem separately (at least, that was my intent). The first true solution that comes to mind is to put the individual bro logs into distinct indexes, but then we would need to change anywhere in Metron that touches bro data. I would prefer to do that after METRON-939 (#619), if it gets merged. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056123#comment-16056123 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16056102#comment-16056102 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r123037274 --- Diff: metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template --- @@ -238,6 +238,538 @@ "qtype_name": { "type": "string", "index": "not_analyzed" +}, +"analyzer": { + "type": "string", + "index": "not_analyzed" +}, +"failure_reason": { + "type": "string", + "index": "not_analyzed" +}, +"user": { + "type": "string", + "index": "not_analyzed" +}, +"password": { + "type": "string", + "index": "not_analyzed" +}, +"command": { + "type": "string", + "index": "not_analyzed" +}, +"arg": { + "type": "string", + "analyzer": "simple" +}, +"mime_type": { + "type": "string", + "analyzer": "simple" +}, +"file_size": { + "type": "long" +}, +"reply_code": { + "type": "integer" +}, +"reply_msg": { + "type": "string", + "index": "not_analyzed" +}, +"data_channel:passive": { + "type": "boolean" +}, +"data_channel:orig_h": { + "type": "ip" +}, +"data_channel:resp_h": { + "type": "ip" +}, +"data_channel:resp_p": { + "type": "integer" +}, +"cwd": { + "type": "string", + "analyzer": "simple" +}, +"passive": { + "type": "boolean" +}, +"capture_password": { + "type": "boolean" +}, +"fuid": { + "type": "string", + "index": "not_analyzed" +}, +"conn_uids": { + "type": "string", + "analyzer": "simple" +}, +"source": { + "type": "string", + "index": "not_analyzed" +}, +"depth": { + "type": "integer" +}, +"analyzers": { + "type": "string", + "analyzer": "simple" +}, +"filename": { + "type": "string", + "index": "not_analyzed" +}, +"duration": { + "type": "float" +}, +"local_orig": { + "type": "boolean" +}, +"is_orig": { + "type": "boolean" +}, +"seen_bytes": { + "type": "long" +}, +"total_bytes": { + "type": "long" +}, +"missing_bytes": { + "type": "long" +}, +"overflow_bytes": { + "type": "long" +}, +"timedout": { + "type": "boolean" +}, +"parent_fuid": { + "type": "string", + "index": "not_analyzed" +}, +"md5": { + "type": "string", + "index": "not_analyzed" +}, +"sha1": { + "type": "string", + "index": "not_analyzed" +}, +"sha256": { + "type": "string", + "index": "not_analyzed" +}, +"port_num": { + "type": "integer" +}, +"subject": { + "type": "string", + "analyzer": "simple" +}, +"issuer_subject": { + "type": "string", + "analyzer": "simple" +}, +"serial": { + "type": "string", + "index": "not_analyzed" +}, +"helo": { + "type": "string", + "analyzer": "simple" +}, +"mailfrom": { + "type": "string", + "analyzer": "simple" +}, +"rcptto": { + "type": "string", + "analyzer": "simple" +}, +"date": { + "type": "string", + "index": "not_analyzed" +}, +"from": { + "type": "string", + "analyzer": "simple" +
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16055973#comment-16055973 ] ASF GitHub Bot commented on METRON-508: --- Github user nickwallen commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r123014881 --- Diff: metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template --- @@ -238,6 +238,538 @@ "qtype_name": { "type": "string", "index": "not_analyzed" +}, +"analyzer": { + "type": "string", + "index": "not_analyzed" +}, +"failure_reason": { --- End diff -- It would be handy to know which fields in the template belong to which Bro log source (DPD vs Conn). This might make it easier for users (and us) to maintain or customize the template going forward. I can think of two possible ways to do this, but maybe there are better ways. **Option 1:** We can use multiple templates that get [merged into a single final template](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html#multiple-templates). This would provide a nice, clean separation between the different log sources. But it might take more effort than it is worth. **Option 2:** We can embed `/* c-style block comments */` in the template itself. We could throw a comment above each set of fields that pertain to a given source. We could also maintain the handy links that you embedded in the PR description. ``` /* * DPD * https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info */ "failure_reason": { .. ``` > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16055974#comment-16055974 ] ASF GitHub Bot commented on METRON-508: --- Github user nickwallen commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r123012618 --- Diff: metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template --- @@ -238,6 +238,538 @@ "qtype_name": { "type": "string", "index": "not_analyzed" +}, +"analyzer": { + "type": "string", + "index": "not_analyzed" +}, +"failure_reason": { + "type": "string", + "index": "not_analyzed" +}, +"user": { + "type": "string", + "index": "not_analyzed" +}, +"password": { + "type": "string", + "index": "not_analyzed" +}, +"command": { + "type": "string", + "index": "not_analyzed" +}, +"arg": { + "type": "string", + "analyzer": "simple" +}, +"mime_type": { + "type": "string", + "analyzer": "simple" +}, +"file_size": { + "type": "long" +}, +"reply_code": { + "type": "integer" +}, +"reply_msg": { + "type": "string", + "index": "not_analyzed" +}, +"data_channel:passive": { + "type": "boolean" +}, +"data_channel:orig_h": { + "type": "ip" +}, +"data_channel:resp_h": { + "type": "ip" +}, +"data_channel:resp_p": { + "type": "integer" +}, +"cwd": { + "type": "string", + "analyzer": "simple" +}, +"passive": { + "type": "boolean" +}, +"capture_password": { + "type": "boolean" +}, +"fuid": { + "type": "string", + "index": "not_analyzed" +}, +"conn_uids": { + "type": "string", + "analyzer": "simple" +}, +"source": { + "type": "string", + "index": "not_analyzed" +}, +"depth": { + "type": "integer" +}, +"analyzers": { + "type": "string", + "analyzer": "simple" +}, +"filename": { + "type": "string", + "index": "not_analyzed" +}, +"duration": { + "type": "float" +}, +"local_orig": { + "type": "boolean" +}, +"is_orig": { + "type": "boolean" +}, +"seen_bytes": { + "type": "long" +}, +"total_bytes": { + "type": "long" +}, +"missing_bytes": { + "type": "long" +}, +"overflow_bytes": { + "type": "long" +}, +"timedout": { + "type": "boolean" +}, +"parent_fuid": { + "type": "string", + "index": "not_analyzed" +}, +"md5": { + "type": "string", + "index": "not_analyzed" +}, +"sha1": { + "type": "string", + "index": "not_analyzed" +}, +"sha256": { + "type": "string", + "index": "not_analyzed" +}, +"port_num": { + "type": "integer" +}, +"subject": { + "type": "string", + "analyzer": "simple" +}, +"issuer_subject": { + "type": "string", + "analyzer": "simple" +}, +"serial": { + "type": "string", + "index": "not_analyzed" +}, +"helo": { + "type": "string", + "analyzer": "simple" +}, +"mailfrom": { + "type": "string", + "analyzer": "simple" +}, +"rcptto": { + "type": "string", + "analyzer": "simple" +}, +"date": { + "type": "string", + "index": "not_analyzed" +}, +"from": { + "type": "string", + "analyzer": "simple" +
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16055013#comment-16055013 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16054411#comment-16054411 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/586 > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16054412#comment-16054412 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla reopened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) - [DevicesInfo](https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/metron ~/metron-508/metron cd ~/metron-508/metron git remote add jonzeolla https://github.com/jonzeolla/metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, Known::DEVICES_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro sed -i '86 a @load policy/protocols/dhcp/known-devices-and-hostnames.bro' /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su -
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16030436#comment-16030436 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 Thanks. I haven't used org.adrianwalker.multilinestring.Multiline before, took a quick shot with two of them, I'll do the rest when I have more time. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16030389#comment-16030389 ] ASF GitHub Bot commented on METRON-508: --- Github user justinleet commented on the issue: https://github.com/apache/metron/pull/586 I did leave one comment about refactoring tests a bit, but I'm +1 regardless of if that change happens or not. Spun it up in full dev and was able to get all the types to show up in the histogram and things looked good all around. Thanks for the great contribution! > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16030384#comment-16030384 ] ASF GitHub Bot commented on METRON-508: --- Github user justinleet commented on a diff in the pull request: https://github.com/apache/metron/pull/586#discussion_r119243250 --- Diff: metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java --- @@ -68,27 +68,29 @@ public void testDecimalFormatAssumptions() { } public void testUnwrappedBroMessage() throws ParseException { -String rawMessage = "{\"timestamp\":1449511228.474,\"uid\":\"CFgSLp4HgsGqXnNjZi\",\"source_ip\":\"104.130.172.191\",\"source_port\":33893,\"dest_ip\":\"69.20.0.164\",\"dest_port\":53,\"proto\":\"udp\",\"trans_id\":3514,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false,\"sensor\":\"cloudbro\",\"type\":\"dns\"}"; +String rawMessage = "{\"ts\":1449511228.474,\"uid\":\"CFgSLp4HgsGqXnNjZi\",\"id.orig_h\":\"104.130.172.191\",\"id.orig_p\":33893,\"id.resp_h\":\"69.20.0.164\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":3514,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false,\"sensor\":\"cloudbro\",\"type\":\"dns\"}"; --- End diff -- I'd like to see these pulled out and using `@Multiline` for readability. Given that it's not currently in this format, I'm not opposed to just leaving it, but it does make it easier to understand at a glance. Given that these all get touched anyway right now, it seems like the perfect time to refactor it. Example: ``` /** * { * "ts":1449511228.474, * "uid":"CFgSLp4HgsGqXnNjZi", * "id.orig_h":"104.130.172.191", * "id.orig_p":33893, * "id.resp_h":"69.20.0.164", * "id.resp_p":53, * "proto":"udp", * "trans_id":3514, * "rcode":3, * "rcode_name":"NXDOMAIN", * "AA":false, * "TC":false, * "RD":false, * "RA":false, * "Z":0, * "rejected":false, * "sensor":"cloudbro", * "type":"dns" * } */ @Multiline public static String unwrappedBroMessage; public void testUnwrappedBroMessage() throws ParseException { JSONObject rawJson = (JSONObject)jsonParser.parse(unwrappedBroMessage); JSONObject broJson = broParser.parse(unwrappedBroMessage.getBytes()).get(0); String expectedBroTimestamp = "1449511228.474"; Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp); String expectedTimestamp = "1449511228474"; Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp); Assert.assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString()); Assert.assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString()); Assert.assertEquals(broJson.get("ip_src_port"), rawJson.get("id.orig_p")); Assert.assertEquals(broJson.get("ip_dst_port"), rawJson.get("id.resp_p")); Assert.assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString()); Assert.assertEquals(broJson.get("trans_id").toString(), rawJson.get("trans_id").toString()); Assert.assertEquals(broJson.get("sensor").toString(), rawJson.get("sensor").toString()); Assert.assertEquals(broJson.get("type").toString(), rawJson.get("type").toString()); Assert.assertEquals(broJson.get("rcode").toString(), rawJson.get("rcode").toString()); Assert.assertEquals(broJson.get("rcode_name").toString(), rawJson.get("rcode_name").toString()); Assert.assertTrue(broJson.get("original_string").toString().startsWith("DNS")); } ``` > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16025427#comment-16025427 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 Bump > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16010523#comment-16010523 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 I updated the instructions to reflect the repo name change; hopefully it should work but I won't have a chance to test it out for a couple of days. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009329#comment-16009329 ] ASF GitHub Bot commented on METRON-508: --- Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/586 Didn't I do that? > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009322#comment-16009322 ] ASF GitHub Bot commented on METRON-508: --- Github user nickwallen commented on the issue: https://github.com/apache/metron/pull/586 Still need to review, but this is a great addition Jon. What pairs nicely with this is to expand the unit tests for the Bro parser to test the other log types that you include in this PR. Right now only HTTP and DNS are tested there. We can tackle separately if you like. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16009015#comment-16009015 ] ASF GitHub Bot commented on METRON-508: --- GitHub user JonZeolla opened a pull request: https://github.com/apache/metron/pull/586 METRON-508 Expand Elasticsearch templates to support the standard bro logs ## Contributor Comments This PR makes it easier for someone with an existing bro install to send some of their log files into Metron, based off of a combination of the [bro documentation](https://www.bro.org/sphinx/script-reference/log-files.html) and a fresh install of bro 2.5. There are future plans to expand on this via [METRON-518](https://issues.apache.org/jira/browse/METRON-518) and [METRON-908](https://issues.apache.org/jira/browse/METRON-908). Specifically, this attempts to provide initial support the default-on fields of the following logs: - [Conn](https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info) - [DPD](https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info) - [FTP](https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info) - [Files](https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info) - [Known::CertsInfo](https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo) - [SMTP](https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info) - [SSL](https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info) - [Weird](https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info) - [Notice](https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info) - [DHCP](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info) - [SSH](https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info) - [Software](https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info) - [Radius](https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info) - [X509](https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info) ## Testing 1. Create a working directory and pull in this PR ``` mkdir ~/metron-508 git clone https://github.com/apache/incubator-metron ~/metron-508/incubator-metron cd ~/metron-508/incubator-metron git remote add jonzeolla https://github.com/jonzeolla/incubator-metron git pull jonzeolla METRON-508 ``` 1. Modify [this](https://github.com/JonZeolla/incubator-metron/blob/METRON-508/metron-deployment/vagrant/full-dev-platform/Vagrantfile#L20) to remove `sensors,` (to spin up the real sensors). ``` sed -i '' "s/ansibleSkipTags=.*/ansibleSkipTags=\'quick_dev\'/" metron-deployment/vagrant/full-dev-platform/Vagrantfile ``` 1. Start up full-dev. ``` cd metron-deployment/vagrant/full-dev-platform vagrant up ``` 1. Set up the environment in full-dev. ``` vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin service monit stop && service sensor-stubs stop bro && broctl stop yum -y install jq wireshark ``` 1. Configure kafka in local.bro. ``` sed -i 's/redef Kafka::logs_to_send = .*/redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG, Conn::LOG, DPD::LOG, DHCP::LOG, FTP::LOG, SSH::LOG, SSL::LOG, SMTP::LOG, RADIUS::LOG, Weird::LOG, Files::LOG, Notice::LOG, Software::LOG, Known::CERTS_LOG, X509::LOG);/' /usr/local/bro/share/bro/site/local.bro echo "redef Kafka::debug = \"all\";" >> /usr/local/bro/share/bro/site/local.bro echo "redef Known::cert_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro echo "redef Software::asset_tracking = ALL_HOSTS;" >> /usr/local/bro/share/bro/site/local.bro ``` 1. Monitor the bro kafka topic ``` # Open a new terminal cd ~/metron-508/incubator-metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin kafka-console-consumer.sh --zookeeper localhost:2181 --topic bro ``` 1. Monitor the storm logs. ``` # Open a new terminal cd ~/metron-508/incubator-metron/metron-deployment/vagrant/full-dev-platform vagrant ssh sudo su - export PATH=$PATH:/usr/local/bro/bin:/usr/hdp/current/kafka-broker/bin # Look at the storm logs (The "failed to parse" errors for ip_src_addr and ip_dst_addr are expected, and
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15992876#comment-15992876 ] Jon Zeolla commented on METRON-508: --- I'm in the process of writing all of that up and testing my changes. I don't expect to update, for instance, the sensor-stubs to push new data in, but I will take a look at testing the different logs against the parser. Hopefully I will get this out today. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs
[ https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15989024#comment-15989024 ] Jon Zeolla commented on METRON-508: --- We should also improve the tokenization to be more sane. For instance, the addition of things like https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-pathhierarchy-tokenizer.html (forward or reverse, depending on the field) would be very helpful. > Expand Elasticsearch templates to support the standard bro logs > --- > > Key: METRON-508 > URL: https://issues.apache.org/jira/browse/METRON-508 > Project: Metron > Issue Type: Sub-task >Reporter: Jon Zeolla >Assignee: Jon Zeolla >Priority: Minor > Original Estimate: 2h > Remaining Estimate: 2h > > The current elasticsearch templates do not support any logs other than Conn, > HTTP, and DNS. We should provide additional templates so that an > out-of-the-box bro install can send all of its logs into Metron and they will > get probably indexed in elasticsearch. -- This message was sent by Atlassian JIRA (v6.3.15#6346)