ot;
>>>>>>>>> tos":"0","adapter.hostfromjsonlistadapter.begin.
>>>>>>>>> ts":"1554384503452","id":"62040","ip_src_addr":"192.168.
>>>>>>>>> 66.121&qu
t;>>> 66.121","timestamp":1484148196104,"ethdst":"0A:00:27:00:00:00","
>>>>>>>> threat.triage.rules.0.name":null,"is_alert":
>>>>>>>> "true","parallelenricher.enrich.begin.ts&quo
":null,"is_alert":
>>>>>>> "true","parallelenricher.enrich.begin.ts":"
>>>>>>> 1554384505264","ttl":"64","source.type":"snort","adapter.
>>>>>>&
rom:* Hema malini [mailto:nhemamalin...@gmail.com]
> *Sent:* Tuesday, April 09, 2019 09:42
> *To:* user@metron.apache.org
> *Subject:* Re: Snort logs flow issue
>
>
>
> Hi Michael,
>
>
>
> Sorry just noticed the error in metron rest logs - Table 'user settings&#
Hello Hema,
Unless I’m wrong, this must be setup in MySQL, the database you use for Metron
REST.
From: Hema malini [mailto:nhemamalin...@gmail.com]
Sent: Tuesday, April 09, 2019 09:42
To: user@metron.apache.org
Subject: Re: Snort logs flow issue
Hi Michael,
Sorry just noticed the error in
rue","parallelenricher.
>>>>>> enrich.begin.ts":"1554384505264","ttl":"64","
>>>>>> source.type":"snort","adapter.geoadapter.end.ts":"
>>>>>> 1554384503453","ethlen
"
>>>>> 1554384505264","ip_src_port":"8080","tcpflags":"***A","
>>>>> guid":"2f6f3f3c-7739-47fe-aa04-3c62425fbcbf","sig_id":"
>>>>> 999158","sig_generator":&qu
uot;0x42"
>>>> ,"iplen":"53248","adapter.threatinteladapter.begin.ts":"
>>>> 1554384505264","ip_src_port":"8080","tcpflags":"***A","
>>>> guid":"2f6f3f3c-7739-47fe-aa04
ot;,"tcpflags":"***A","guid":"2f6f3f3c-7739-47fe-
>>> aa04-3c62425fbcbf","sig_id":"999158","sig_generator":"1"}
>>>
>>>
>>> On Fri, Apr 5, 2019, 11:43 PM Hema malini
>>> wrote
t;sig_id":"999158","sig_generator":"1"}
>>
>>
>> On Fri, Apr 5, 2019, 11:43 PM Hema malini
>> wrote:
>>
>>> Yes I am getting messages
>>>
>>> On Fri, Apr 5, 2019, 11:17 PM Michael Miklavcic <
>>
62425fbcbf","sig_id":"
> 999158","sig_generator":"1"}
>
>
> On Fri, Apr 5, 2019, 11:43 PM Hema malini wrote:
>
>> Yes I am getting messages
>>
>> On Fri, Apr 5, 2019, 11:17 PM Michael Miklavcic <
>> michael.mikl
,"guid":"2f6f3f3c-7739-47fe-
aa04-3c62425fbcbf","sig_id":"999158","sig_generator":"1"}
On Fri, Apr 5, 2019, 11:43 PM Hema malini wrote:
> Yes I am getting messages
>
> On Fri, Apr 5, 2019, 11:17 PM Michael Miklavcic <
> micha
you validate the logs are making it to the indexing topology?
>>>
>>> On Fri, Apr 5, 2019 at 8:12 AM Hema malini
>>> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> We have installed Metron 0.7.1
gt;>>
>>> Hi,
>>>
>>>
>>>
>>> We have installed Metron 0.7.1 in centos 7 using Amabari.Using Nifi we
>>> sent the sample snort logs copied from metron git repo to snort kafka
>>> topic.We did the same for bro topic.Logs are getting
>>
>> We have installed Metron 0.7.1 in centos 7 using Amabari.Using Nifi we
>> sent the sample snort logs copied from metron git repo to snort kafka
>> topic.We did the same for bro topic.Logs are getting parsed and reached
>> indexing topology . Elastic search indi
How did you validate the logs are making it to the indexing topology?
On Fri, Apr 5, 2019 at 8:12 AM Hema malini wrote:
>
> Hi,
>
>
>
> We have installed Metron 0.7.1 in centos 7 using Amabari.Using Nifi we
> sent the sample snort logs copied from metron git repo to snort
Hi,
We have installed Metron 0.7.1 in centos 7 using Amabari.Using Nifi we sent
the sample snort logs copied from metron git repo to snort kafka topic.We
did the same for bro topic.Logs are getting parsed and reached indexing
topology . Elastic search indices are not getting created though we
gt;>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>&
;>>>>>>>>>>>>>> errors, what's the full stacktrace (that starts with
>>>>>>>>>>>>>>>>>>>>>>>>> the suggestion you
>>>>>>>>>>>>>>>&
gt;>>>>>>>>>>>>>>>>>>>>>>>> errors, what's the full stacktrace (that starts with
>>>>>>>>>>>>>>>>>>>>>>>>> the suggestion you
>>
gt;>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If this is the case, then you will need to modify the
>>>>>>>>>>>>>>>>> default log timestamp format for snort in the short term
;>>>>>>>>>>>>>> Can you post what the value of the ‘timestamp’ field/column
>>>>>>>>>>>>>>>> is for a piece of data that is failing
>>>>>>>>>>>>>
47, Syed Hammad Tahir (
>>>>>>>>>>>>>>> mscs16...@itu.edu.pk) wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Now I am pretty sure that the issue is the format of the
>>>>>&
g to push
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [image: Inline image 1]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Can someone tell me the location of snort s
me the location of snort stub canned data
>>>>>>>>>>>>> file? Maybe I could see its formatting and try following the same
>>>>>>>>>>>>> thing.
>>>>>>>>>>>>>
>>>>>>>>>>
Fri, Nov 3, 2017 at 12:19 PM Syed Hammad Tahir
> wrote:
>
>>
>> -- Forwarded message --
>> From: Syed Hammad Tahir
>> Date: Fri, Nov 3, 2017 at 5:07 PM
>> Subject: Re: Snort Logs
>> To: Otto Fowler
>>
>>
>> NVM, I hav
i, Nov 3, 2017 at 5:07 PM
> Subject: Re: Snort Logs
> To: Otto Fowler
>
>
> NVM, I have installed the elastic search head. Now where do I go in this
> to find out why I cant see the snort logs in kibana dashboard, pushed to
> snort topic via kafka producer?
>
> [image: Inl
-- Forwarded message --
From: Syed Hammad Tahir
Date: Fri, Nov 3, 2017 at 5:07 PM
Subject: Re: Snort Logs
To: Otto Fowler
NVM, I have installed the elastic search head. Now where do I go in this to
find out why I cant see the snort logs in kibana dashboard, pushed to snort
You can install it into the chrome web browser from the play store.
On November 3, 2017 at 07:47:47, Syed Hammad Tahir (mscs16...@itu.edu.pk)
wrote:
And how do I install elasticsearch head on the vagrant VM?
And how do I install elasticsearch head on the vagrant VM?
I sent a random message to that kafka topic and got this
[image: Inline image 1]
I guess this is because I am not following the format of message I should
send? Like those snort logs you showed.
On Mon, Oct 30, 2017 at 5:24 PM, zeo...@gmail.com wrote:
> They need to meet the format of
.@gmail.com
>>> wrote:
>>>
>>>> On the 25th I said:
>>>>
>>>> It should be in /usr/hdp/current/kafka-broker/bin/ or similar
>>>> (from memory) on node1, assuming you are running full dev.
>>>>
>>>>
ail.com
>> wrote:
>>
>>> On the 25th I said:
>>>
>>> It should be in /usr/hdp/current/kafka-broker/bin/ or similar
>>> (from memory) on node1, assuming you are running full dev.
>>>
>>> Jon
>>>
>>>
>&
d:
>>
>> It should be in /usr/hdp/current/kafka-broker/bin/ or similar (from
>> memory) on node1, assuming you are running full dev.
>>
>> Jon
>>
>>
>> Jon
>>
>> On Fri, Oct 27, 2017 at 6:25 AM Syed Hammad Tahir
>> wrote:
>
h I said:
>
> It should be in /usr/hdp/current/kafka-broker/bin/ or similar (from
> memory) on node1, assuming you are running full dev.
>
> Jon
>
>
> Jon
>
> On Fri, Oct 27, 2017 at 6:25 AM Syed Hammad Tahir
> wrote:
>
>> snort logs are in tcp dump
On the 25th I said:
It should be in /usr/hdp/current/kafka-broker/bin/ or similar (from
memory) on node1, assuming you are running full dev.
Jon
Jon
On Fri, Oct 27, 2017 at 6:25 AM Syed Hammad Tahir
wrote:
> snort logs are in tcp dump format. I may have to convert them.
>
snort logs are in tcp dump format. I may have to convert them.
bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test
How to give file name or path in this command?
On Fri, Oct 27, 2017 at 2:53 PM, zeo...@gmail.com wrote:
> If you have text snort logs you can use Apache n
If you have text snort logs you can use Apache nifi or the Kafka producer
script as described in step 4 here[1] to push them to Metron's snort
topic. You may also want to look at this [2].
1: https://kafka.apache.org/quickstart
2:
https://stackoverflow.com/questions/38701179/kafka-co
Hello everyone,
I have run snort independently on vagrant ssh and dumped the logs in
tcpdump format. Now I want to bring them to metron to play with them a bit.
Some of you already replied me with some solutions but thats lost in the
inbox somewhere and engulfed by the elasticsearhc issue that I h
39 matches
Mail list logo
