Hi Frank - (1) Here is a link on how to delete indices from Elasticsearch. It is as simple as a "DELETE /bro*". https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-delete-index.html.
(2) Check and see if YAF is running with a command-line argument "--idle-timeout 0". That causes YAF to write a flow record for each packet. We only do that to drive test data through the system. In a live system just remove that argument. (3) For Snort, you need to reload the rule set after you make a change. You can use "service snortd reload" or send a SIGHUP to the running process. On Wed, Sep 6, 2017 at 5:00 PM Frank Horsfall < [email protected]> wrote: > Hello all, > > I have installed a 3 node system using the bare metal Centos 7 guideline. > > > > > https://cwiki.apache.org/confluence/display/METRON/Metron+0.4.0+with+HDP+2.5+bare-metal+install+on+Centos+7+with+MariaDB+for+Metron+REST > > > > It has taken me a while to have all components working properly and I left > the yaf,bro,snort apps running so quite a lot of data has been generated. > Currently, I have almost 18 million events identified in Kibana. 16+ > million are yaf based, and 2+ million are snort …. 190 events are my new > squid telemetry, J. It looks like it still has a while to go before it > catches up to current day. I recently shutdown the apps. > > > > > > My questions are: > > > > 1. Is there a way to wipe all my data and indices clean so that I > may now begin with a fresh dataset? > > 2. Is there a way to configure yaf so that its data is meaningful ? > It is currently creating what looks to be test data? > > 3. I have commented out the test snort rule but it is still > generating the odd record which looks once again looks like test data. Can > this be stopped as well? > > > > Kindest regards, > > Frank > > > > > > >
