Hi Youzha,
Either check how the snort logs on the full dev installation are
ingested (I believe it's with a script) or check the Apache NiFi project
which makes it very easy to read logs from almost any format and ingest
them to Metron via Kafka.
On 2017-10-17 08:53, Youzha wrote:
> is it possible to ingest other logs like /var/log/secure for example to be
> new telemetry on metron? i've seen the metron architecture on the website
> like picture below. host logs, email, av, etc can be telemetry event buffer
> on metron. if this possible, could you give me some suggestion how to do it ?
>
> On Tue, 17 Oct 2017 at 21.00 Nick Allen <n...@nickallen.org> wrote:
>
> If you want to look at failed login attempts for each user over time, then
> the Profiler might be a good solution. Your profile will depend on the
> fields available in your telemetry, but it would look something like this, as
> an example.
>
> {
>
> "profile": "failed-logins",
>
> "foreach": "user.name [1]",
>
> "onlyif": "source.type == 'activedirectory' and event.type == 'failed_login'"
>
> "init": { "count": 0 },
>
> "update": { "count" : "count + 1" },
>
> "result": "count"
>
> }
>
> You can find an introduction and more information on using the Profiler
> below.
> *
> https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler
> * https://www.slideshare.net/secret/GFBf2RTXBG35PB
>
> Best of luck
>
> On Tue, Oct 17, 2017 at 4:51 AM, tkg_cangkul <yuza.ras...@gmail.com> wrote:
> for example,
>
> i wanna try to correlate between logs.
> how many times user A have login failed and how many times user A have login
> succeed. include detail IP, timestamp etc.
> is this possible to do with metron?
>
> On 17/10/17 02:56, James Sirota wrote:
> What specifically are you looking to correlate? Can you talk a little more
> about your use case?
>
> 16.10.2017, 02:23, "tkg_cangkul" <yuza.ras...@gmail.com>:
> hi,
>
> anyone could explain me about event correlation using apache metron?
> does metron support event correlation?
>
> Pls Advice -------------------
> Thank you,
>
> James Sirota
> PMC- Apache Metron
> jsirota AT apache DOT org
Links:
------
[1] http://user.name
