Hi Stéphane
Yes you are correct . After changing it to 1 as it Is a single node installation it worked . I am seeing my records in the management gui . I haven’t loaded any threat intel data’s in my db .. So how to make it so that it is classified as an alert Regards, Meenakshi From: stephane.d...@orange.com [mailto:stephane.d...@orange.com] Sent: 04 April 2019 18:18 To: user@metron.apache.org; meenakshi.subraman...@inspirisys.com Subject: RE: Not seeing feeds in metron -alerts ui Hello, How many ES data nodes do you have? Given the following setting: gateway: recover_after_data_nodes: 3 you must have at least 3 living data nodes to have a working ES cluster. I faced this issue last week after my install. Stéphane From: Meenakshi.S [ <mailto:meenakshi.subraman...@inspirisys.com> mailto:meenakshi.subraman...@inspirisys.com] Sent: Thursday, April 04, 2019 14:44 To: <mailto:user@metron.apache.org> user@metron.apache.org Subject: RE: Not seeing feeds in metron -alerts ui Hi Elastic search health is red in kibana and we are getting cluster block exception elasticsearch. Kibana dashboard is not up . These are my config details It is a single node installation Regards, Meenakshi ElasticSearch.yml cluster: name: metron routing: allocation.node_concurrent_recoveries: 4 allocation.disk.watermark.low: .97 allocation.disk.threshold_enabled: true allocation.disk.watermark.high: 0.99 discovery: zen: ping: unicast: hosts: ["10.3.1.67"] node: data: true master: true name: node1 path: data: "/opt/lmm/es_data" http: port: 9200-9300 cors.enabled: "false" transport: tcp: port: 9300-9400 gateway: recover_after_data_nodes: 3 recover_after_time: 15m expected_data_nodes: 0 # <https://www.elastic.co/guide/en/elasticsearch/guide/current/indexing-performance.html> https://www.elastic.co/guide/en/elasticsearch/guide/current/indexing-performance.html indices: store.throttle.type: none memory: index_buffer_size: 10% fielddata: cache.size: 25% bootstrap: memory_lock: true system_call_filter: false thread_pool: bulk: queue_size: 3000 index: queue_size: 1000 discovery.zen.ping_timeout: 5s discovery.zen.fd.ping_interval: 15s discovery.zen.fd.ping_timeout: 60s discovery.zen.fd.ping_retries: 5 discovery.zen.minimum_master_nodes: 1 network.host: [ _local_, _site_ ] network.publish_host: [] Error {"error":{"root_cause":[{"type":"cluster_block_exception","reason":"blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];"}],"type":"cluster_block_exception","reason":"blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];"},"status":503} From: Michael Miklavcic [ <mailto:michael.miklav...@gmail.com> mailto:michael.miklav...@gmail.com] Sent: 03 April 2019 20:15 To: <mailto:user@metron.apache.org> user@metron.apache.org; <mailto:meenakshi.subraman...@inspirisys.com> meenakshi.subraman...@inspirisys.com Subject: Re: Not seeing feeds in metron -alerts ui I think I need a bit more context. Are you saying it makes it to indexing and then never makes it to ES or Solr? Are you running fulldev or another type of manual installation? Which index tool are you using, es or solr? On Wed, Apr 3, 2019, 5:26 AM Meenakshi.S <meenakshi.subraman...@inspirisys.com <mailto:meenakshi.subraman...@inspirisys.com> > wrote: Hi Team, I am able to insert snort related feeds to metron . I am able to see the feed till the indexing kakfka topic . After that I am not able to trace it . Any help is highly appreciated Regards, Meenakshi _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
