THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- As root user, log $HOST_WITH_ENRICHMENT_TAG.
- Cut and paste the following into file into a file called "enrichment_config_temp.json" (make sure to set ZOOKEEPER_HOST with your specific value).
{
"zkQuorum" : "$ZOOKEEPER_HOST:2181"
,"sensorToFieldList" : {
"squid" : {
"type" : "ENRICHMENT"
,"fieldToEnrichmentTypes" : {
"domain_without_subdomains" : [ "whois" ]
}
}
}
} Because copying and pasting from this blog will include some non-ascii invisible characters, run the following command to strip them out:
iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json
We will use the extractor_config file in step 5.
...
Now that we have the enrichment source and enrichment config defined, we can now run the loader to move the data from the enrichment source to the Metron enrichment Store and store the enrichment config in Zookeeper.
/usr/metron/$METRON_RELEASE/bin/flatfile_loader.sh -n enrichment_config.json -i whois_ref.csv -t enrichment -c t -e extractor_config.json
- This command loads your enrichment data in Hbase and establishes a Zookeeper mapping. The data is populated into an Hbase HBase table called enrichment. To verify that the logs were properly ingested into HbaseHBase, run the following command:
hbase shell
scan 'enrichment' To check if the Zookeeper enrichment tag was properly populated, run the following:
/usr/metron/0.1BETA/bin/zk_load_configs.sh -m DUMP -z ZOOKEEPER_HOST:2181
Generate some data by using the Squid client to execute http requests. (Do this about 20 times.)
squidclient http://www.cnn.com
...