Re: Sizing of components proportional to EPS

To an extent it very much depends on the use case. I have seen over a million EPS on a six node cluster for pcap and basic net flow. If you add a lot of complex enrichment and profiling that will obviously increase the load. Tuning the components for the workload can also make a significant

[GitHub] metron pull request #804: METRON-1260 Include Alerts UI in Ambari Service Ch...

GitHub user nickwallen opened a pull request: https://github.com/apache/metron/pull/804 METRON-1260 Include Alerts UI in Ambari Service Check As part of #799, I improved the Ambari Service Check for Metron. I failed to include any checks for the Alerts UI, that being a new

Sizing of components proportional to EPS

Is there a rough guide to match EPS to an architectural sizing guide? I know its very difficult to extrapolate out, but a rough estimate would be nice. This may have already been attempted, and if yes, then please disregard. Or can anyone share what they have found to work best? For example,

[GitHub] metron pull request #803: Metron-1252: Build ui for grouping alerts into met...

GitHub user iraghumitra opened a pull request: https://github.com/apache/metron/pull/803 Metron-1252: Build ui for grouping alerts into meta alerts ## Contributor Comments The purpose of the PR is to provide GUI for grouping multiple alerts into a meta alert, the rest api for

[GitHub] metron pull request #802: METRON-1255: MetaAlert search is not filtering on ...

GitHub user merrimanr opened a pull request: https://github.com/apache/metron/pull/802 METRON-1255: MetaAlert search is not filtering on status ## Contributor Comments This PR primarily fixes filtering on metaalert status but also includes a couple other minor fixes as well.

Re: Stellar support for switch/case style conditionals

OK On October 17, 2017 at 14:28:02, Casey Stella (ceste...@gmail.com) wrote: Yeah, default would be a keyword. We could also do match(variable1 as x, variable2 as y) if you want to alias your fields *or* you could do match { ... } if you dont' want to alias your variables. e.g. if you had a

Re: Stellar support for switch/case style conditionals

There's no string concat candy, so that'd probably be default: FORMAT('critical-%s%s', x, y) On Tue, Oct 17, 2017 at 2:28 PM, Otto Fowler wrote: > match(longer_variable -> x, other_variable -> y) { x < 10 : 'info', x <= > 20 : 'warn’, x < y : ‘oh boy’, default:

Re: Stellar support for switch/case style conditionals

Yeah, default would be a keyword. We could also do match(variable1 as x, variable2 as y) if you want to alias your fields *or* you could do match { ... } if you dont' want to alias your variables. e.g. if you had a field threat.triage.level either of these would work: match(threat.triage.level

Re: Stellar support for switch/case style conditionals

match(longer_variable -> x) { x < 10 : 'info', x <= 20 : 'warn', default: ‘critical’ + TO_STRING(x) } On October 17, 2017 at 14:24:09, Otto Fowler (ottobackwa...@gmail.com) wrote: match(longer_variable -> x) { x < 10 : 'info', x <= 20 : 'warn', default: 'critical' }

Re: Stellar support for switch/case style conditionals

No that is it. So default would be a keyword? and a lambda that uses x can be used on the right side of the : On October 17, 2017 at 14:21:01, Casey Stella (ceste...@gmail.com) wrote: So, just to map this onto the example, you mean: match(longer_variable -> x) { x < 10 : 'info', x <= 20 :

Re: Stellar support for switch/case style conditionals

So, just to map this onto the example, you mean: match(longer_variable -> x) { x < 10 : 'info', x <= 20 : 'warn', default: 'critical' } ? I took the liberty of adding a default keyword there the evaluation of the conditionals are considered lambda functions also. Did I catch the spirit of the

Re: ASA ciscotag error messages

We certainly don’t parse every type of asa message at present. The challenge is getting hold of good samples from the wild to extend the range. If you have samples that can be anonymised of the missing tags, it would be easy to extend the patterns library to pull those in. What we need to get

Re: CEF parser only finding "Found %d groups"

https://issues.apache.org/jira/browse/METRON-1256 From: Otto Fowler Sent: Tuesday, October 17, 2017 1:16 PM To: dev@metron.apache.org; ed d Subject: Re: CEF parser only finding "Found %d groups" Would it be possible for you to create

Re: Sourcefire logs not being parsed due to "Unable to find SID in message"

Please post the jira numbers to the threads On October 17, 2017 at 13:18:07, ed d (ragdel...@hotmail.com) wrote: yep, i will jira all the ones i emailed today, should be four. -- *From:* Otto Fowler *Sent:* Tuesday, October 17, 2017

Re: Sourcefire logs not being parsed due to "Unable to find SID in message"

Thanks, That way we can write tests at the same time we fix etc. On October 17, 2017 at 13:18:07, ed d (ragdel...@hotmail.com) wrote: yep, i will jira all the ones i emailed today, should be four. -- *From:* Otto Fowler *Sent:*

[GitHub] metron pull request #800: METRON-1251: Typo and formatting fixes for metron-...

Github user simonellistonball commented on a diff in the pull request: https://github.com/apache/metron/pull/800#discussion_r145197280 --- Diff: metron-interface/metron-rest/README.md --- @@ -112,42 +112,42 @@ The following configures the application for MySQL: 1. Install

Re: Fireeye "unable to find timestamp"

Would it be possible for you to create a jira, which included the ‘raw’ data ( anonymized )? If this is a problem that we need to fix, it would be good to have a test case for the code etc to prove it. On October 17, 2017 at 13:03:11, ed d (ragdel...@hotmail.com) wrote: Apache metron 0.4.1,

Re: Sourcefire logs not being parsed due to "Unable to find SID in message"

Would it be possible for you to create a jira, which included the ‘raw’ data ( anonymized )? If this is a problem that we need to fix, it would be good to have a test case for the code etc to prove it. On October 17, 2017 at 13:04:29, ed d (ragdel...@hotmail.com) wrote: sorry, here is the

Fireeye "unable to find timestamp"

Apache metron 0.4.1, git cloned. Not sure they version of Fireeye, but its NX data. Timestamp in the log is this format: "rt=Sep 25 2017 19:53:35" Basic fireeye parser does not seem to be parsing the NX timestamp. Snippet: o.a.m.p.f.BasicFireEyeParser [WARN] Unable to find timestamp in

Sourcefire logs not being parsed due to "Unable to find SID in message"

Apache metron 0.4.1, git cloned. Not sure the version of Sourcefire. Some logs are not being processed by Storm and the error message is "o.a.m.p.s.BasicSourcefireParser [WARN] Unable to find SID in message:". Do all Sourcefire log messages have to have the keyword "SID" in them, or the

ASA ciscotag error messages

Apache metron 0.4.1, git cloned. Not sure what version the ASA would be, there are multiples. Applied the ASA parser, seems to be working for a lot of traffic, but any traffic that has a cisco tag that doesnt match whats in the parser, seems to not make it through. Is the ASA parser supposed

CEF parser only finding "Found %d groups"

Apache metron 0.4.1, git cloned. Applied the CEF parser in the Management UI to ZScalar traffic. I do see some traffic coming through, but most of the output in the storm log is "Found %d groups" How do i verify that all the traffic is flowing through and the logs causing the "Found %d

[GitHub] metron pull request #800: METRON-1251: Typo and formatting fixes for metron-...

Github user JonZeolla closed the pull request at: https://github.com/apache/metron/pull/800 ---

[GitHub] metron issue #800: METRON-1251: Typo and formatting fixes for metron-rest RE...

Github user cestella commented on the issue: https://github.com/apache/metron/pull/800 can you kick travis, @JonZeolla ? I think it ran at a weird time and the test failure is due to that. We should look into what caused that. ---

[GitHub] metron pull request #801: METRON-1254: Conditionals as map keys do not funct...

GitHub user cestella opened a pull request: https://github.com/apache/metron/pull/801 METRON-1254: Conditionals as map keys do not function in Stellar ## Contributor Comments We currently cannot represent map literals in stellar where the keys are conditionals. For instance,

[GitHub] metron issue #278: Metron 451 SerDeUtils - java.lang.ClassNotFoundException:...

Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/278 This PR will be closed soon if not updated. Is there any update for it's status? ---

Re: Can we close old inactive PR’s

I am not completely sure, but I think committers are able to. On Tue, Oct 17, 2017 at 9:54 AM, Otto Fowler wrote: > Whom can open such a jira? Do we limit it to committers, PMC members? > > > On October 17, 2017 at 09:41:00, Nick Allen (n...@nickallen.org) wrote: > >

Re: Can we close old inactive PR’s

If we've made an honest effort to contact the contributor, I think it is completely legit to force close it. I've done that a few times before actually. You just have to open a JIRA for Apache Infra to close the PR. On Tue, Oct 17, 2017 at 9:00 AM, Otto Fowler wrote:

Re: Can we close old inactive PR’s

I was wondering that too. There are quite a few that have had no response in a long time. -Kyle On Tue, Oct 17, 2017 at 9:00 AM, Otto Fowler wrote: > Can we close PR’s that are inactive for long periods of time, with no > response to queries? > > Looking at :

Can we close old inactive PR’s

Can we close PR’s that are inactive for long periods of time, with no response to queries? Looking at : https://github.com/apache/metron/pull/278 for example.

Re: Suricata parser

Suricata will quite happily produce json (http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html ) , which works nicely in the the JSONMapParser. You can then use simple field transformations from that

Re: Suricata parser

I would love to see one, and if it doesn't exist in the next few weeks I'm going to take a stab at it. Jon On Mon, Sep 25, 2017, 09:49 Carolyn Duby wrote: > > Is anyone working on a Suricata parser? > > https://suricata-ids.org/ > > > I was not able to find an