Github user kylerichardson commented on the issue:
https://github.com/apache/incubator-metron/pull/276
**Testing**
It occurs to me I haven't outlined how to test or how I tested this code
(apologies, this is my first PR).
All my testing was performed on a single node vm (no sensors). This should
mimic the quick-dev environment (unfortunately, I haven't had much luck with
vagrant due to my primary OS being Windows).
Test Steps
1) Deploy single node vm using metron_full_install ansible playbook (I can
provide my host and group_vars if anyone is interested)
2) Stop unused parsers
`monit stop pcap-parser`
`monit stop yaf-parser`
`monit stop bro-parser`
`monit stop snort-parser`
3) Install elasticsearch head
`/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head`
4) Start the asa parser topology
`start_parser_topology.sh -k node1:6667 -z node1:2181 -s asa`
5) Use the console producer to load raw asa events into kafka
`/usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list
node1:6667 --topic asa < asa_raw.txt`
For test data I used the sample data provided for integration testing and
raw data collected from one of my devices.
6) Verify events in elasticsearch
Using the head plugin, I could browse the asa_index_* index and see the
enriched events
Future enhancements
1) I could not add the asa* indexes to kibana. I believe an elasticsearch
template is required. I'll be working on that as a future PR.
2) Minor bug in one of the ansible roles (metron_common). The logic to
verify the jars exist is done remotely and should be done locally. I'll submit
a separate JIRA and PR for this fix.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
