Hi Michael, Thanks for your reply. I couldn't find any errors in metron alerts UI log . I clicked the search and changed the date range too. Still no records. Do we have to run metron rest in dev profile?
On Mon, Apr 8, 2019, 7:50 PM Michael Miklavcic <[email protected]> wrote: > If you see them in the dashboard you should be able to see them in the > alerts UI. Any errors in either the alerts UI or REST logs? Also, the new > default behavior is that the UI doesn't initiate a search at login, it's up > to the user to click search. > > On Mon, Apr 8, 2019, 6:38 AM Hema malini <[email protected]> wrote: > >> After recreating the index, now we are able to visualize the data in >> kibana metron dashboard. How we can pass alerts to metron alerts UI. >> Currently there is no data in alerts UI. How.to configure the logs as alerts >> >> On Sat, Apr 6, 2019, 9:21 PM Hema malini <[email protected]> wrote: >> >>> Sorry for the typo. Can you please help with the required configuration. >>> >>> On Sat, Apr 6, 2019, 5:39 PM Hema malini <[email protected]> >>> wrote: >>> >>>> Are we missing any configuration? Initially elastic search was down. We >>>> figured out the issue and fixed it .Now elastic search is up . We restarted >>>> metron indexing but still those indices not created. So we created it >>>> manually.Do we have to change any parser configuration . How logs will flow >>>> into metron alerts dashboard and kibana dashboard..what is the required >>>> congratulation >>>> >>>> On Fri, Apr 5, 2019, 11:52 PM Hema malini <[email protected]> >>>> wrote: >>>> >>>>> Sample messages flown in indexing topic >>>>> {"msg":"'snort test alert'","parallelenricher.splitter.end.ts":" >>>>> 1554384505264","sig_rev":"0","ip_dst_port":"50183","ethsrc": >>>>> "08:00:27:E8:B0:7A","threat.triage.rules.0.comment":null," >>>>> tcpseq":"0x8DF34F4B","threat.triage.score":10.0,"dgmlen":" >>>>> 52","adapter.hostfromjsonlistadapter.end.ts":"1554384503452","adapter. >>>>> geoadapter.begin.ts":"1554384503452","tcpwindow":" >>>>> 0x1F5","parallelenricher.splitter.begin.ts":" >>>>> 1554384505264","threat.triage.rules.0.score":"10","tcpack":" >>>>> 0x836687BD","protocol":"TCP","ip_dst_addr":"192.168.66.1"," >>>>> original_string":"01\/11\/17-20:53:16.104984 ,1,999158,0,\"'snort >>>>> test alert'\",TCP,192.168.66.121,8080,192.168.66.1,50183,08:00: >>>>> 27:E8:B0:7A,0A:00:27:00:00:00,0x42,***A****,0x8DF34F4B, >>>>> 0x836687BD,,0x1F5,64,0,62040,52,53248,,,,"," >>>>> parallelenricher.enrich.end.ts":"1554384505342","threat. >>>>> triage.rules.0.reason":null,"tos":"0","adapter. >>>>> hostfromjsonlistadapter.begin.ts":"1554384503452","id":" >>>>> 62040","ip_src_addr":"192.168.66.121","timestamp": >>>>> 1484148196104,"ethdst":"0A:00:27:00:00:00","threat.triage.rules.0.name >>>>> ":null,"is_alert":"true","parallelenricher.enrich.begin.ts":" >>>>> 1554384505264","ttl":"64","source.type":"snort","adapter. >>>>> geoadapter.end.ts":"1554384503453","ethlen":"0x42" >>>>> ,"iplen":"53248","adapter.threatinteladapter.begin.ts":" >>>>> 1554384505264","ip_src_port":"8080","tcpflags":"***A****"," >>>>> guid":"2f6f3f3c-7739-47fe-aa04-3c62425fbcbf","sig_id":" >>>>> 999158","sig_generator":"1"} >>>>> >>>>> >>>>> On Fri, Apr 5, 2019, 11:43 PM Hema malini <[email protected]> >>>>> wrote: >>>>> >>>>>> Yes I am getting messages >>>>>> >>>>>> On Fri, Apr 5, 2019, 11:17 PM Michael Miklavcic < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Do you get 10 records output to the CLI when you run the following? >>>>>>> >>>>>>> /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh >>>>>>> --zookeeper $ZOOKEEPER --topic indexing --from-beginning --max-messages >>>>>>> 10 >>>>>>> >>>>>>> >>>>>>> On Fri, Apr 5, 2019 at 11:38 AM Hema malini <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> We verified it in Storm ui and in Storm topology logs >>>>>>>> >>>>>>>> On Fri, Apr 5, 2019, 10:53 PM Michael Miklavcic < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> How did you validate the logs are making it to the indexing >>>>>>>>> topology? >>>>>>>>> >>>>>>>>> On Fri, Apr 5, 2019 at 8:12 AM Hema malini < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> We have installed Metron 0.7.1 in centos 7 using Amabari.Using >>>>>>>>>> Nifi we sent the sample snort logs copied from metron git repo to >>>>>>>>>> snort >>>>>>>>>> kafka topic.We did the same for bro topic.Logs are getting parsed and >>>>>>>>>> reached indexing topology . Elastic search indices are not getting >>>>>>>>>> created >>>>>>>>>> though we gave elastic search template install from ambari. So >>>>>>>>>> manually >>>>>>>>>> created the elastic search index using template available in >>>>>>>>>> metron repo. Though elastic search index is present , data from >>>>>>>>>> indexing >>>>>>>>>> toplogy neither reached elastic search nor hdfs path .There are no >>>>>>>>>> errors >>>>>>>>>> in storm toplogy logs.We could see the sample log in Metron >>>>>>>>>> management ui. >>>>>>>>>> How we can send the logs to alerts ui and kibana dashboard. In kibana >>>>>>>>>> dashboard we could see two dashboards - >>>>>>>>>> Metron-Dashboard,Metron-Error-Dashboard created but with no data. >>>>>>>>>> Elasticsearch health is yellow and we are able to insert data via >>>>>>>>>> rest >>>>>>>>>> call. Any documentation on sending the smaple snort logs to metron >>>>>>>>>> alerts >>>>>>>>>> ui will be helpful . Any configuration from metron management ui is >>>>>>>>>> required to pass it to alerts –ui >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks and Regards >>>>>>>>>> >>>>>>>>>> Hema >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>
