Re: who is having problems installing?

2017-10-04 Thread James Sirota 
Extending this to the user list as well.  Whoever needs help can you quickly 
let me know:

- What environment are you installing on (a single VM, multiple VMs, bare 
metal, AWS, etc)
- What OS are you using 
- How many sensors are you going to be consuming 

I'll throw a meeting together once I get a feel for what people are doing with 
the platform.

Thanks,
James 

03.10.2017, 18:22, "Ronirose Caryll De Castro" 
:
> Yes, like me I am planning to install Metron and would like to join the
> meeting to know what would be the possible issues that I will face and how
> to solve them
>
> *Thank you!*
> *Caryll*
>
> On Wed, Oct 4, 2017 at 9:02 AM, Otto Fowler  wrote:
>
>>  Did you mean to send this to users too?
>>
>>  On October 3, 2017 at 19:12:10, James Sirota (jsir...@apache.org) wrote:
>>
>>  Hi Guys,
>>
>>  How many people do we have with questions about installing Metron? I can
>>  take some time later in the week to schedule a meeting and get everyone
>>  unstuck
>>
>>  ---
>>  Thank you,
>>
>>  James Sirota
>>  PMC- Apache Metron
>>  jsirota AT apache DOT org
>
> --
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> material for the sole use of the intended recipient(s). Any review, use,
> distribution or disclosure by others is strictly prohibited. If you have
> received this communication in error, please notify the sender immediately
> by e-mail and delete the message and any file attachments from your
> computer. There is no warranty that this email is error, virus or defect
> free. If this is a private communication it does not represent the views of
> Pointwest Technologies Corporation or their related entities.

--- 
Thank you,

James Sirota
PPMC- Apache Metron (Incubating)
jsirota AT apache DOT org

Re: [DISCUSS] Dropping support for elastic 2.x

2017-10-04 Thread Otto Fowler 
If we support indexing through extensions down the road we can add in
support for older versions or other back ends as well.


On October 4, 2017 at 15:47:35, James Sirota (jsir...@apache.org) wrote:

I am in favor of moving to 5.x and dropping support for 2.x. As Justin
mentioned, Elastic have very good docs around cluster migrations and the
procedure itself to upgrade from 2.x to 5.x is very simple.
https://www.elastic.co/guide/en/elasticsearch/reference/current/restart-upgrade.html

I don't agree that we should provide documentation for ES upgrade. I think
pointing to elastic docs should be good enough. I do agree that we should
provide documentation for the ES mpack upgrade, which we will.

With us supporting 5.x I see little reason to be backwards compatible to 2.x


04.10.2017, 11:59, "Farrukh Naveed Anjum" :

Its better to move to Elastic Search 5 or 6. As Elasticsearch 2.x is really
pretty old.

On Wed, Oct 4, 2017 at 9:45 PM, Simon Elliston Ball <
si...@simonellistonball.com> wrote:

A number of people are currently working on upgrading the ES support in
Metron to 5.x (including the clients, and the mpack managed install).

Would anyone have any objections to dropping formal support for 2.x as a
result of this work? In theory the clients should be backward compatible
against older data stores, so metron could be upgraded without needing an
elastic upgrade.

In practice, we would need to do pretty extensive testing and I wouldn’t
want us to have to code around long term support on older clients if no-one
in the community cares enough about the older ES. Do we think there is a
case to be made for maintaining long term support for older clients?

Simon




--
With Regards
Farrukh Naveed Anjum



---
Thank you,

James Sirota
PPMC- Apache Metron (Incubating)
jsirota AT apache DOT org

Re: Initial Testing

2017-10-04 Thread James Sirota 
1 - It us up to you to install and configure snort however you want. Metron simply consumes the Snort telemetry, but is not opinionated about how you setup your sensors. I would recommend starting with the community rule set: https://www.snort.org/faq/what-are-community-rules 2 - Again, this is outside of scope of Metron. You can view this video to get you started: https://www.youtube.com/watch?v=RUmYojxy3Xw 3 - Metron is not a network mapping tool (although support for graph databases is not too far in the future). Today, the best way to generate a network map (graph) is by using kibana. I would refer you to the following article: https://www.elastic.co/products/x-pack/graph 4 - The snort generated data would be indexed in Elasticsearch and/or stored on HDFS, depending on how you configured the system Thanks,James04.10.2017, 03:23, "Syed Hammad Tahir" :Hi all,Now that I have installed metron (single node installation on ubuntu machine), I want to do some initial testing on snort data. I have a few questions regarding this:1- In how many configurations can I use snort with metron (for ex packet capture in sniffing mode etc)?2- How can I change the rules in snort3- Can I map the network using metron?4- Is snort generated data stored somewhere?KIndly also give me some tutorial to follow for better understanding.Regards.
--- Thank you, James SirotaPPMC- Apache Metron (Incubating)jsirota AT apache DOT org

Re: [DISCUSS] Dropping support for elastic 2.x

2017-10-04 Thread James Sirota 
I am in favor of moving to 5.x and dropping support for 2.x. As Justin mentioned, Elastic have very good docs around cluster migrations and the procedure itself to upgrade from 2.x to 5.x is very simple. https://www.elastic.co/guide/en/elasticsearch/reference/current/restart-upgrade.html I don't agree that we should provide documentation for ES upgrade. I think pointing to elastic docs should be good enough. I do agree that we should provide documentation for the ES mpack upgrade, which we will. With us supporting 5.x I see little reason to be backwards compatible to 2.x04.10.2017, 11:59, "Farrukh Naveed Anjum" :Its better to move to Elastic Search 5 or 6. As Elasticsearch 2.x is really pretty old.On Wed, Oct 4, 2017 at 9:45 PM, Simon Elliston Ball  wrote:A number of people are currently working on upgrading the ES support in Metron to 5.x (including the clients, and the mpack managed install).

Would anyone have any objections to dropping formal support for 2.x as a result of this work? In theory the clients should be backward compatible against older data stores, so metron could be upgraded without needing an elastic upgrade.

In practice, we would need to do pretty extensive testing and I wouldn’t want us to have to code around long term support on older clients if no-one in the community cares enough about the older ES. Do we think there is a case to be made for maintaining long term support for older clients?

Simon-- With RegardsFarrukh Naveed Anjum

--- Thank you, James SirotaPPMC- Apache Metron (Incubating)jsirota AT apache DOT org