THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
In order to apply this triage configuration, we must modify the configuration for the squid sensor in the enrichment topology. To do this, we should modify /usr/metron/0.1BETA/config/zookeeper/sensors/squid.json on node1 However, since the configuration in zookeeper may have be out of sync with the configuration on disk, we must make sure they are in sync by executing the following command:
/usr/metron/0.1BETA$METRON_RELEASE/bin/zk_load_configs.sh -m PULL -z node1$ZOOKEEPER_HOST:2181 -f -o /usr/metron/0.1BETA$METRON_RELEASE/config/zookeeper
We should ensure that the configuration for squid exists by checking out
...
TODO: the directory sensors is wrong. It shoudl be changed to enrichments. Also change field url to domain_without_subdomains
cat /usr/metron/0.1BETA$METRON_RELEASE/config/zookeeper/sensors/squid.json
Now we can edit the configuration. In /usr/metron/0.1BETA$METRON_RELEASE/config/zookeeper/sensors/squid.json edit the section titled riskLevelRules and add the two rules above to the map:
...
After modifying the configuration, we can push the configuration back to zookeeper and have the enrichment topology pick it up with live data via
/usr/metron/0.1BETA$METRON_RELEASE/bin/zk_load_configs.sh -m PUSH -z node1$ZOOKEEPER_HOST:2181 -i /usr/metron/0.1BETA$METRON_RELEASE/config/zookeeper
Now, if we reload the data from the part 4 via
tail /var/log/squid/access.log | /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list node1$KAFKA_HOST:6667 --topic squid
Now, if we check the squid index using the elasticsearch head plugin, we can see the threats triage as we would expect:
...