Github user anandsubbu commented on a diff in the pull request:
https://github.com/apache/metron/pull/817#discussion_r147708307
--- Diff: metron-platform/metron-elasticsearch/README.md ---
@@ -81,3 +81,13 @@ curl -XPUT
"http://${ELASTICSEARCH}:9200/${SENSOR}_index*/_mapping/${SENSOR}_doc
'
rm ${SENSOR}.template
```
+
+## Installing Elasticsearch Templates
+
+The stock set of Elasticsearch templates for bro, snort, yaf, error index
and meta index are installed automatically during the first time install and
startup of Metron Indexing service.
+
--- End diff --
Okay, let me try to explain more using examples:
**Scenario 1 - Happy Path**
* Fresh install
* ES service up and running
* When the Indexing service comes up, it also installs the ES templates
* Admin can start ingesting into sensors, launch alerts UI and everything
works
**Scenario 2 - ES service down**
* Fresh install
* For some reason, the ES service is down when the Indexing service is
coming up
* We log a warning message in the Ambari install logs, and the Indexing
service starts up fine.
* Once the ES service issue is resolved, the Admin needs to install the ES
templates manually before s/he can start ingesting into sensors. This can be
done in two ways:
1) Using the Ambari UI -> Services -> Metron -> Service Actions ->
Elasticsearch Template Install
2) By stopping the Metron Indexing service from Ambari UI, and starting it
again so that it can trigger the piece of code to install the template.
Now, from a documentation perspective, point 2 above is counter intuitive
IMHO, since it would not make sense to ask the Admin to stop/start Indexing
service in order to have the ES template installed. I have hence documented
only the first option--which is also the same way it is done presently.
Let me know if this helps clarify.
---
