How would I do that without Kibana? Having a SIEM without the ability to
see raw processed events (whether they are alerts or not), would be a
big issue I think.
Or would Kibana always be required, just not installed by Metron?
On 2017-11-01 11:34, Michael Miklavcic wrote:
You could absolutely still do it, I'm simply saying it would not be
managed
by us.
On Nov 1, 2017 12:20 PM, "Laurens Vets" <laur...@daemon.be> wrote:
If there's a viable way of looking at raw processed events (not
necessarily alerts), then I'm all for removeing Kibana. I use Discover
a
lot to filter and look at events and create new policies from that.
Is there currently a simple way to do this without Kibana?
On 2017-11-01 09:13, Michael Miklavcic wrote:
As part of the ES upgrade, I got to thinking that it makes sense to
remove
Kibana and the dashboards we're currently bundling in the MPack. To
be
clear, this would not remove the ability to independently install and
use
Kibana if the user so chooses, it would only remove the dashboards,
and
potentially, the Ambari/MPack management support that we ship.
*pros*
Removes need to support tooling outside our wheelhouse
Smaller testing effort for ongoing support and future upgrades
Simplifies our base Metron install via Ambari. Also simplifies full
dev
setup.
*cons*
User would need to install and setup their own Kibana instance and
dashboards.
If any existing users are using this, they'd need to backup and
manage
their own Kibana dashboards going forward. They would also need to
handle
any upgrade issues with Kibana post-Metron ES 5.x upgrade.
Any concerns?
Mike
