Hi Lauren thx for your reply, yeah your suggestion absolutely right. i was able to ingest the logs to kafka. but how metron can enrich and index all of it? i think there are only bro, snort, yaf, snort, pcap, websphere topology storm on metron for parsers. so, how metron can read the logs telemetry and proccess it so i can use it to event correlation
On Tue, 17 Oct 2017 at 23.11 Laurens Vets <[email protected]> wrote: > Hi Youzha, > > Either check how the snort logs on the full dev installation are ingested > (I believe it's with a script) or check the Apache NiFi project which makes > it very easy to read logs from almost any format and ingest them to Metron > via Kafka. > > On 2017-10-17 08:53, Youzha wrote: > > is it possible to ingest other logs like /var/log/secure for example to be > new telemetry on metron? i've seen the metron architecture on the website > like picture below. host logs, email, av, etc can be telemetry event buffer > on metron. if this possible, could you give me some suggestion how to do it > ? > > > On Tue, 17 Oct 2017 at 21.00 Nick Allen <[email protected]> wrote: > >> If you want to look at failed login attempts for each user over time, >> then the Profiler might be a good solution. Your profile will depend on >> the fields available in your telemetry, but it would look something like >> this, as an example. >> >> >> { >> "profile": "failed-logins", >> "foreach": "user.name", >> "onlyif": "source.type == 'activedirectory' and event.type == >> 'failed_login'" >> "init": { "count": 0 }, >> "update": { "count" : "count + 1" }, >> "result": "count" >> } >> >> >> You can find an introduction and more information on using the Profiler >> below. >> * >> https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler >> * https://www.slideshare.net/secret/GFBf2RTXBG35PB >> >> Best of luck >> >> On Tue, Oct 17, 2017 at 4:51 AM, tkg_cangkul <[email protected]> >> wrote: >> >>> for example, >>> >>> i wanna try to correlate between logs. >>> how many times user A have login failed and how many times user A have >>> login succeed. include detail IP, timestamp etc. >>> is this possible to do with metron? >>> >>> >>> >>> >>> On 17/10/17 02:56, James Sirota wrote: >>> >>>> What specifically are you looking to correlate? Can you talk a little >>>> more about your use case? >>>> >>>> 16.10.2017, 02:23, "tkg_cangkul" <[email protected]>: >>>> >>>>> hi, >>>>> >>>>> anyone could explain me about event correlation using apache metron? >>>>> does metron support event correlation? >>>>> >>>>> Pls Advice >>>> >>>> ------------------- >>>> Thank you, >>>> >>>> James Sirota >>>> PMC- Apache Metron >>>> jsirota AT apache DOT org >>> >>> >
