THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The following diagram illustrates the architecture:
Step 1: Setup and
...
Prerequisites
Complete the instructions in Adding a new Telemetry Data Source.
- Make sure the following variables are configured based on your environment:
- KAFKA_HOST = The host where a Kafka broker is installed.
- ZOOKEEPER_HOST = The host where a Zookeeper server is installed.
- PROBE_HOST = The host where your sensor, probes are installed. If don't have any sensors installed, pick the host where a Storm supervisor is running.
- SQUID_HOST = The host where you want to install SQUID. If you don't care, just install SQUID on the PROBE_HOST.
- NIFI_HOST = Host where you will install NIFI. You want this this to be same host on which you installed Squid.
- HOST_WITH_ENRICHMENT_TAG = The host in your inventory hosts file that you put under the group "enrichment."
- SEARCH_HOST = The host where you have Elastic or Solr running. This is the host in your inventory hosts file that you put under the group "search". Pick one of the search hosts.
- SEARCH_HOST_PORT = The port of the search host where indexing is configured. (e.g., 9300)
- METRON_UI_HOST = The host where your Metron UI web application is running. This is the host in your inventory hosts file that you put under the group "web."
- METRON_VERSION = The release of the Metron binaries you are working with. (e.g., 0.2.0BETA-RC2)
...
- Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000.
- Select "Discover" Tab --> Select the "squid*" index.
- Search only for alerts in the Squid index.
- Type the following in search:
"is_alert = true" - Click the search icon
- Type the following in search:
- Now we only need to select a subset of the fields that we want to display in the detail panel. In the left hand panel under "Available Fields", add the following fields:
full_hostname
ip_src_addr
ip_dst_addr
original_string
method
type
Dashboard with the Two Panels
...