Thanks Nick. If I delete the indices will they only be regenerated from data stored elsewhere or is the data removed after the indices are created?? Sorry if the question sounds dumb. I’m still coming up to speed with the product.
Frank From: Nick Allen [mailto:n...@nickallen.org] Sent: Wednesday, September 6, 2017 5:19 PM To: user@metron.apache.org Subject: Re: Clearing of data to start over Hi Frank - (1) Here is a link on how to delete indices from Elasticsearch. It is as simple as a "DELETE /bro*". https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-delete-index.html. (2) Check and see if YAF is running with a command-line argument "--idle-timeout 0". That causes YAF to write a flow record for each packet. We only do that to drive test data through the system. In a live system just remove that argument. (3) For Snort, you need to reload the rule set after you make a change. You can use "service snortd reload" or send a SIGHUP to the running process. On Wed, Sep 6, 2017 at 5:00 PM Frank Horsfall <frankhorsf...@cunet.carleton.ca<mailto:frankhorsf...@cunet.carleton.ca>> wrote: Hello all, I have installed a 3 node system using the bare metal Centos 7 guideline. https://cwiki.apache.org/confluence/display/METRON/Metron+0.4.0+with+HDP+2.5+bare-metal+install+on+Centos+7+with+MariaDB+for+Metron+REST It has taken me a while to have all components working properly and I left the yaf,bro,snort apps running so quite a lot of data has been generated. Currently, I have almost 18 million events identified in Kibana. 16+ million are yaf based, and 2+ million are snort …. 190 events are my new squid telemetry, ☺. It looks like it still has a while to go before it catches up to current day. I recently shutdown the apps. My questions are: 1. Is there a way to wipe all my data and indices clean so that I may now begin with a fresh dataset? 2. Is there a way to configure yaf so that its data is meaningful ? It is currently creating what looks to be test data? 3. I have commented out the test snort rule but it is still generating the odd record which looks once again looks like test data. Can this be stopped as well? Kindest regards, Frank
