Re: ask about profiler rule

Tue, 24 Oct 2017 01:59:43 -0700

Do you have any sample configuration or something like that to setup activedirectory sensor? 
i've trying many ways but it stills not succeed.
that's because there are so many format log on there. i wanna get the login status (failed, success, logout, etc) with this profiler. 
Is it possible to me include logstash into metron?

On 24/10/17 15:50, Mohan Venkateshaiah wrote:


Hi,
The Profiler will consume messages from the input kafka topic defined in the Profiler's configuration (see Configuring the Profiler <https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler#configuring-the-profiler>). By default, this is the indexing topic. 

Thanks

Mohan DV

*From: *Simon Elliston Ball <[email protected]>
*Reply-To: *"[email protected]" <[email protected]>
*Date: *Tuesday, October 24, 2017 at 2:02 PM
*To: *"[email protected]" <[email protected]>
*Subject: *Re: ask about profiler rule
The profiler reads direct from the ingest stream, so sees data before it gets to ES.
The onlyif config you are asking about is a filter condition, so only data which matches that expression will be considered by this particular profile.
The activedirectory example here assumes that you have a sensor setup from something like active directory, that has fields called user.name and event.type in. It will then count those failures per user.name. 

Simon

    On 24 Oct 2017, at 07:38, tkg_cangkul <[email protected]
    <mailto:[email protected]>> wrote:

    Hi,

    anybody can explained to me this rule of profiler config please ?

        {

        "profile": "failed-logins",

        "foreach": "user.name <http://user.name/>",

        "onlyif": "source.type == 'activedirectory' and event.type ==
        'failed_login'"

        "init": { "count": 0 },

        "update": { "count" : "count + 1" },

        "result": "count"

        }


    what is "source.type == 'activedirectory' and event.type ==
    'failed_login'" means?
    does it means the profiler will read from ES index that have
    condition source.type == 'activedirectory' . if yes, so i must
    index to ES first where source type = activedirectory ?

    I've just read on Nick article here :

    https://www.slideshare.net/NickAllen4/apache-metron-profiler

    In the other rules config there are  "source.type == 'yaf'" ,
    "source.type == 'bro'". What i know that "source.type == 'yaf'" &
    "source.type == 'bro'" have indexed by default on metron. how
    about activedirectory?


    Best Regards,

Reply via email to