...
/usr/metron/0.1BETA/config/topologies/ and each parsing topology has it's own set of configs. Each directory for a topology has a remote.yaml which is designed to be run on AWS and local/test.yaml designed to run locally on a single-node VM. At the moment of publishing this blog entry the following configs are available:
/usr/metron/0.1BETA/config/topologies/yaf/test.yaml
/usr/metron/0.1BETA/config/topologies/yaf/remote.yaml
/usr/metron/0.1BETA/config/topologies/sourcefire/test.yaml
/usr/metron/0.1BETA/config/topologies/sourcefire/remote.yaml
/usr/metron/0.1BETA/config/topologies/asa/test.yaml
/usr/metron/0.1BETA/config/topologies/asa/remote.yaml
/usr/metron/0.1BETA/config/topologies/fireeye/test.yaml
/usr/metron/0.1BETA/config/topologies/fireeye/remote.yaml
/usr/metron/0.1BETA/config/topologies/bro/test.yaml
/usr/metron/0.1BETA/config/topologies/bro/remote.yaml
/usr/metron/0.1BETA/config/topologies/ise/test.yaml
/usr/metron/0.1BETA/config/topologies/ise/remote.yaml
/usr/metron/0.1BETA/config/topologies/paloalto/test.yaml
/usr/metron/0.1BETA/config/topologies/paloalto/remote.yaml
/usr/metron/0.1BETA/config/topologies/lancope/test.yaml
/usr/metron/0.1BETA/config/topologies/lancope/remote.yaml
/usr/metron/0.1BETA/config/topologies/pcap/test.yaml
/usr/metron/0.1BETA/config/topologies/pcap/remote.yaml
/usr/metron/0.1BETA/config/topologies/enrichment/test.yaml
/usr/metron/0.1BETA/config/topologies/enrichment/remote.yaml
/usr/metron/0.1BETA/config/topologies/snort/test.yaml
/usr/metron/0.1BETA/config/topologies/snort/remote.yaml
Since we are going to be running locally on a VM we need to define a test.yaml for Squid. The easiest way to do this is to copy one of the existing Grok-based configs (Snort) and tailor it for Squid.
mkdir /usr/metron/0.1BETA/config/topologies/squid
cp /usr/metron/0.1BETA/config/topologies/snort/test.yaml /usr/metron/0.1BETA/config/topologies/squid/test.yaml
vi /usr/metron/0.1BETA/config/topologies/squid/test.yaml