I am not receiving data from Bro to Kafka
# @load packages/metron-bro-plugin-kafka/Apache/Kafka
redef Kafka::logs_to_send = set(SSH::LOG, RDP::LOG, KRB::LOG, SSL::LOG,
DHCP::LOG, Cluster::LOG, Syslog::LOG, SNMP::LOG, Reporter::LOG, DNP3::LOG,
RADIUS::LOG, Tunnel::LOG, Conn::LOG, HTTP::LOG,
Hi Jai,
Please see my responses below:
>>>“But for bro logs, is_alert field is blank .I verified the data in the
>>>Kibana. Though the is_alert is blank ,those logs also appearing in
>>>metron alerts ui.How this could be possible.”
This confused me in the beginning as well, but
Hi,
I am planning to use Metron as a SIEM and exploring it's features. Thanks
for the great documentation. It helped a lot to set it up quickly.
Initially configured snort ,bro,yaf logs to flow into Metron . For snort,
could see threat triage rules configured in the Metron enrichment config.
But
I do not believe that they are based on another schema, but I am a bit
foggy about where the names like ip_src_addr and ip_dst_addr originated
from.
On Wed, Dec 4, 2019 at 1:25 PM Yerex, Tom wrote:
> Thank you, Nick.
>
>
>
> Would you happen to know if those fields were drawn from a particular
Thank you, Nick.
Would you happen to know if those fields were drawn from a particular schema
similar to ECS? My reasoning is if there is a schema out there then my
organization would probably benefit by being aware of it when implementing our
data structure.
Cheers,
Tom.
From:
Hi Tom -
Unfortunately, the field names used for grouping in the Alerts UI is not
configurable at the moment. The one exception is the "source type" field,
but this does not provide the level of configurability that you are looking
for.
The following field names are used for grouping.
-
