Github user nickwallen commented on the issue:
https://github.com/apache/incubator-metron/pull/158
+1, FWIW.
It is solid on vagrant. It seems to work mostly on AWS, but not all the
time. I have added additional checks where possible. I'm going to recommend
that we merge this, get more people using it, and then learn from their
experience and patch if needed.
When it does not work, it is because the index templates do not exist when
ES is restarted by Monit. If it does not work, here is the work around.
(1) Define which Elasticsearch master to work with.
```
export
ES_HOST="http://ec2-52-25-237-20.us-west-2.compute.amazonaws.com:9200";
```
(2) Confirm the index templates are missing.
```
curl -s -XPOST $ES_HOST/_template/
```
(3) Manually load the index templates.
```
cd metron-deployment
export
ES_HOST="http://ec2-52-25-237-20.us-west-2.compute.amazonaws.com:9200";
curl -s -XPOST $ES_HOST/_template/bro_index -d
@roles/metron_elasticsearch_templates/files/es_templates/bro_index.template
curl -s -XPOST $ES_HOST/_template/snort_index -d
@roles/metron_elasticsearch_templates/files/es_templates/snort_index.template
curl -s -XPOST $ES_HOST/_template/yaf_index -d
@roles/metron_elasticsearch_templates/files/es_templates/yaf_index.template
```
(4) Delete the existing indexes. Only a new index will use the template.
```
curl -s -XDELETE $ES_HOST/_template/yaf_index
curl -s -XDELETE $ES_HOST/_template/bro_index
curl -s -XDELETE $ES_HOST/_template/snort_index
```
(5) Open up Kibana and wait for the new indexes to be created. The
dashboard should now work.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
