Versions Compared

Old Version 32

changes.mady.by.user James Sirota

Saved on

compared with

New Version 33

changes.mady.by.user James Sirota

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you don't want to setup a full Metron environment you can deploy individual Metron modules.  To do so, you need to define the Metron inventory.  A sample inventory is provided with Metron to make custom inventories easier to defiledefine.  To get to the inventory run the following command:

...

[metron_kafka_topics]
node9

The next thing to do is to go into our inventory file and match up the 

 

 

setup the node for your PCAP server/replay capability (if using the canned PCAP probe provided with Metron)

[pcap_server]
node9

Then define the node which will contain Storm jars and deployment scripts for Metron's parser and enrichment telemetries 

#3rd ambari_slave
[enrichment]
node1

Then define the nodes which will contain Elastic Search master and slave nodes

#1 or more
[search]
node10
node11
node12

Then define nodes which will contain canned Metron sensors YAF, Bro, Snort, PCAP (if using caneed Metron sensors)

#1 only
[sensors]
node1

Then define the node where Kibana will be installed

#same as mysql in 12 node topology
[web]
node12

#same as mysql in 12 node topology
[web]
node12

Finally define the node where MySQL will be installed (if using Geo enrichment) 

[mysql]
node12

Then based on your cluster definition edit group_vars/all file and then run:

ansible-playbook -i ../inventory/project_name metron_install.yml --skip-tags="solr"

This will automatically install Metron on an Ambari-managed cluster.  For more detailed instructions please refer to: 

https://github.com/dlyle65535/incubator-metron/blob/METRON-260/metron-deployment/README.md


 

Step 3 : Installing a sample sensor

Log into the sensors node and install the squid sensor.  If you are on the QuickDev platform your VM will be called node1.  If you are on AWS environment your sensor node will be tagged with the [sensors] tag.  You can look through the AWS console to find which node in your cluster has this tag.  Once you log into this node you can install the Leave the enrichment topology running and kill the other parser topologies (bro, snort, or yaf) with either the "storm kill" command or with the Storm UI at http://node1:8744/index.html.  Now lets install the Squid sensor.  

sudo yum install squid

sudo service squid start 

...