Hi Stephanie, Issue got resolved by creating that table in hbase.
Thanks and regards, Hema On Tue, Apr 9, 2019, 1:31 PM <stephane.d...@orange.com> wrote: > Hello Hema, > > > > Unless I’m wrong, this must be setup in MySQL, the database you use for > Metron REST. > > > > > > *From:* Hema malini [mailto:nhemamalin...@gmail.com] > *Sent:* Tuesday, April 09, 2019 09:42 > *To:* user@metron.apache.org > *Subject:* Re: Snort logs flow issue > > > > Hi Michael, > > > > Sorry just noticed the error in metron rest logs - Table 'user settings' > was not found. Do we have to create that hbase table . Where to find the > hbase tables created. I could see only two namespace in hbase - default and > hbase. No tables created in that. Do I have to run metron rest in dev > profile. > > > > Thanks & Regards > > Hema > > > > On Tue, Apr 9, 2019, 12:44 PM Hema malini <nhemamalin...@gmail.com> wrote: > > Hi Michael, > > > > Thanks for your reply. I couldn't find any errors in metron alerts UI log > . I clicked the search and changed the date range too. Still no records. Do > we have to run metron rest in dev profile? > > > > On Mon, Apr 8, 2019, 7:50 PM Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > If you see them in the dashboard you should be able to see them in the > alerts UI. Any errors in either the alerts UI or REST logs? Also, the new > default behavior is that the UI doesn't initiate a search at login, it's up > to the user to click search. > > > > On Mon, Apr 8, 2019, 6:38 AM Hema malini <nhemamalin...@gmail.com> wrote: > > After recreating the index, now we are able to visualize the data in > kibana metron dashboard. How we can pass alerts to metron alerts UI. > Currently there is no data in alerts UI. How.to configure the logs as alerts > > > > On Sat, Apr 6, 2019, 9:21 PM Hema malini <nhemamalin...@gmail.com> wrote: > > Sorry for the typo. Can you please help with the required configuration. > > > > On Sat, Apr 6, 2019, 5:39 PM Hema malini <nhemamalin...@gmail.com> wrote: > > Are we missing any configuration? Initially elastic search was down. We > figured out the issue and fixed it .Now elastic search is up . We restarted > metron indexing but still those indices not created. So we created it > manually.Do we have to change any parser configuration . How logs will flow > into metron alerts dashboard and kibana dashboard..what is the required > congratulation > > > > On Fri, Apr 5, 2019, 11:52 PM Hema malini <nhemamalin...@gmail.com> wrote: > > Sample messages flown in indexing topic > > {"msg":"'snort test > alert'","parallelenricher.splitter.end.ts":"1554384505264","sig_rev":"0","ip_dst_port":"50183","ethsrc":"08:00:27:E8:B0:7A","threat.triage.rules.0.comment":null,"tcpseq":"0x8DF34F4B","threat.triage.score":10.0,"dgmlen":"52","adapter.hostfromjsonlistadapter.end.ts":"1554384503452","adapter.geoadapter.begin.ts":"1554384503452","tcpwindow":"0x1F5","parallelenricher.splitter.begin.ts":"1554384505264","threat.triage.rules.0.score":"10","tcpack":"0x836687BD","protocol":"TCP","ip_dst_addr":"192.168.66.1","original_string":"01\/11\/17-20:53:16.104984 > ,1,999158,0,\"'snort test > alert'\",TCP,192.168.66.121,8080,192.168.66.1,50183,08:00:27:E8:B0:7A,0A:00:27:00:00:00,0x42,***A****,0x8DF34F4B,0x836687BD,,0x1F5,64,0,62040,52,53248,,,,","parallelenricher.enrich.end.ts":"1554384505342","threat.triage.rules.0.reason":null,"tos":"0","adapter.hostfromjsonlistadapter.begin.ts":"1554384503452","id":"62040","ip_src_addr":"192.168.66.121","timestamp":1484148196104,"ethdst":"0A:00:27:00:00:00"," > threat.triage.rules.0.name > ":null,"is_alert":"true","parallelenricher.enrich.begin.ts":"1554384505264","ttl":"64","source.type":"snort","adapter.geoadapter.end.ts":"1554384503453","ethlen":"0x42","iplen":"53248","adapter.threatinteladapter.begin.ts":"1554384505264","ip_src_port":"8080","tcpflags":"***A****","guid":"2f6f3f3c-7739-47fe-aa04-3c62425fbcbf","sig_id":"999158","sig_generator":"1"} > > > > > > On Fri, Apr 5, 2019, 11:43 PM Hema malini <nhemamalin...@gmail.com> wrote: > > Yes I am getting messages > > > > On Fri, Apr 5, 2019, 11:17 PM Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > Do you get 10 records output to the CLI when you run the following? > > > > /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --zookeeper > $ZOOKEEPER --topic indexing --from-beginning --max-messages 10 > > > > > > On Fri, Apr 5, 2019 at 11:38 AM Hema malini <nhemamalin...@gmail.com> > wrote: > > We verified it in Storm ui and in Storm topology logs > > > > On Fri, Apr 5, 2019, 10:53 PM Michael Miklavcic < > michael.miklav...@gmail.com> wrote: > > How did you validate the logs are making it to the indexing topology? > > > > On Fri, Apr 5, 2019 at 8:12 AM Hema malini <nhemamalin...@gmail.com> > wrote: > > > > Hi, > > > > We have installed Metron 0.7.1 in centos 7 using Amabari.Using Nifi we > sent the sample snort logs copied from metron git repo to snort kafka > topic.We did the same for bro topic.Logs are getting parsed and reached > indexing topology . Elastic search indices are not getting created though > we gave elastic search template install from ambari. So manually created > the elastic search index using template available in metron repo. Though > elastic search index is present , data from indexing toplogy neither > reached elastic search nor hdfs path .There are no errors in storm toplogy > logs.We could see the sample log in Metron management ui. How we can send > the logs to alerts ui and kibana dashboard. In kibana dashboard we could > see two dashboards - Metron-Dashboard,Metron-Error-Dashboard created but > with no data. Elasticsearch health is yellow and we are able to insert data > via rest call. Any documentation on sending the smaple snort logs to metron > alerts ui will be helpful . Any configuration from metron management ui is > required to pass it to alerts –ui > > > > *Error! Filename not specified.* > > > > Thanks and Regards > > Hema > > > > > > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete > this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > >
