[jira] [Commented] (METRON-363) Fix Cisco ASA Parser

Wed, 28 Sep 2016 05:21:46 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529435#comment-15529435
 ] 

ASF GitHub Bot commented on METRON-363:
---------------------------------------

Github user kylerichardson commented on the issue:

    https://github.com/apache/incubator-metron/pull/276
  
    **Testing**
    
    It occurs to me I haven't outlined how to test or how I tested this code 
(apologies, this is my first PR).
    
    All my testing was performed on a single node vm (no sensors). This should 
mimic the quick-dev environment (unfortunately, I haven't had much luck with 
vagrant due to my primary OS being Windows).
    
    Test Steps
    
    1) Deploy single node vm using metron_full_install ansible playbook (I can 
provide my host and group_vars if anyone is interested)
    
    2) Stop unused parsers
    `monit stop pcap-parser`
    `monit stop yaf-parser`
    `monit stop bro-parser`
    `monit stop snort-parser`
    
    3) Install elasticsearch head
    `/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head`
    
    4) Start the asa parser topology
    `start_parser_topology.sh -k node1:6667 -z node1:2181 -s asa`
    
    5) Use the console producer to load raw asa events into kafka
    `/usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list 
node1:6667 --topic asa < asa_raw.txt`
    For test data I used the sample data provided for integration testing and 
raw data collected from one of my devices.
    
    6) Verify events in elasticsearch
    Using the head plugin, I could browse the asa_index_* index and see the 
enriched events
    
    Future enhancements
    
    1) I could not add the asa* indexes to kibana. I believe an elasticsearch 
template is required. I'll be working on that as a future PR.
    
    2) Minor bug in one of the ansible roles (metron_common). The logic to 
verify the jars exist is done remotely and should be done locally. I'll submit 
a separate JIRA and PR for this fix.



> Fix Cisco ASA Parser
> --------------------
>
>                 Key: METRON-363
>                 URL: https://issues.apache.org/jira/browse/METRON-363
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Kyle Richardson
>            Priority: Minor
>
> The current ASA parser is broken. This effort is to rework the current parser 
> to support the variety of syslog messages produced by Cisco ASA devices as 
> well as provide the necessary support files/configs for easier deployment of 
> the Storm topology.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to