is it possible to ingest other logs like /var/log/secure for example to be
new telemetry on metron? i’ve seen the metron architecture on the website
like picture below. host logs, email, av, etc can be telemetry event buffer
on metron. if this possible, could you give me some suggestion how to do it
?
On Tue, 17 Oct 2017 at 21.00 Nick Allen <n...@nickallen.org> wrote:
> If you want to look at failed login attempts for each user over time, then
> the Profiler might be a good solution. Your profile will depend on the
> fields available in your telemetry, but it would look something like this,
> as an example.
>
> {
> "profile": "failed-logins",
> "foreach": "user.name",
> "onlyif": "source.type == 'activedirectory' and event.type ==
> 'failed_login'"
> "init": { "count": 0 },
> "update": { "count" : "count + 1" },
> "result": "count"
> }
>
>
> You can find an introduction and more information on using the Profiler
> below.
> *
> https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler
> * https://www.slideshare.net/secret/GFBf2RTXBG35PB
>
> Best of luck
>
> On Tue, Oct 17, 2017 at 4:51 AM, tkg_cangkul <yuza.ras...@gmail.com>
> wrote:
>
>> for example,
>>
>> i wanna try to correlate between logs.
>> how many times user A have login failed and how many times user A have
>> login succeed. include detail IP, timestamp etc.
>> is this possible to do with metron?
>>
>>
>>
>>
>> On 17/10/17 02:56, James Sirota wrote:
>>
>>> What specifically are you looking to correlate? Can you talk a little
>>> more about your use case?
>>>
>>> 16.10.2017, 02:23, "tkg_cangkul" <yuza.ras...@gmail.com>:
>>>
>>>> hi,
>>>>
>>>> anyone could explain me about event correlation using apache metron?
>>>> does metron support event correlation?
>>>>
>>>> Pls Advice
>>>>
>>> -------------------
>>> Thank you,
>>>
>>> James Sirota
>>> PMC- Apache Metron
>>> jsirota AT apache DOT org
>>>
>>
>>
>
