[
https://issues.apache.org/jira/browse/METRON-1283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Allen updated METRON-1283:
-------------------------------
Fix Version/s: 0.4.2
> Install Elasticsearch template as a part of the mpack startup scripts
> ---------------------------------------------------------------------
>
> Key: METRON-1283
> URL: https://issues.apache.org/jira/browse/METRON-1283
> Project: Metron
> Issue Type: Bug
> Reporter: Anand Subramanian
> Assignee: Anand Subramanian
> Fix For: 0.4.2
>
>
> For a Metron multi-node deployment using mpack, the Elasticsearch template is
> required to be installed manually post-setup. These templates are required
> for the proper working of, for e.g. the Alerts UI.
> In the event that these templates are not installed, and if data is ingested,
> these would not be shown in the Alerts UI, since there would be missing
> fields without the template files (E.g. snort alert indices are not displayed
> in the Alerts UI, since it is missing the "alerts" field from the mapping).
> In such a case, one needs to install the templates, delete all indices for
> the given parser and re-ingest data again into the parser for it to appear in
> the Alerts UI.
> Further, the indices from all the parsers will have to be deleted and
> re-ingested again which could be a tedious job in the event that this step
> was missed out by chance. I have also seen other ill-effects from having
> stale indices for parsers that was created before template install.
> While documenting the template installation is a good practice, nothing would
> more failsafe than installing the template as a part of the mpack startup
> scripts itself.
> Note that this issue would not be seen on vagrant deployments, since the
> 'load_web_templates' role would trigger the installation automatically.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
