> Do you have any sample configuration or something like that to setup activedirectory sensor?
I assuming you are not yet ingesting AD logs into Metron. There is not currently something out-of-the-box for AD logs, but it should not be too hard. Feel free to contribute as many example AD logs as you can (after cleaning them of sensitive information) to either of these JIRAs. https://issues.apache.org/jira/browse/METRON-1149 https://issues.apache.org/jira/browse/METRON-161 > i've trying many ways but it stills not succeed. that's because there are so many format log on there. i wanna get the login status (failed, success, logout, etc) with this profiler. What have you tried? I assume you are still talking about parsing the AD logs, which has nothing to do with the Profiler. Just to level set, first step is to parse the AD logs and get them into Metron. Then we can use that data in the Profiler. > Is it possible to me include logstash into metron? You can use Logstash to push data into Kafka. Metron would then consume it from Kafka. On Tue, Oct 24, 2017 at 4:59 AM, tkg_cangkul <[email protected]> wrote: > Do you have any sample configuration or something like that to setup > activedirectory sensor? > i've trying many ways but it stills not succeed. > that's because there are so many format log on there. i wanna get the > login status (failed, success, logout, etc) with this profiler. > Is it possible to me include logstash into metron? > > > On 24/10/17 15:50, Mohan Venkateshaiah wrote: > > Hi, > > > > The Profiler will consume messages from the input kafka topic defined in > the Profiler's configuration (see Configuring the Profiler > <https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler#configuring-the-profiler>). > By default, this is the indexing topic. > > > > Thanks > > Mohan DV > > > > *From: *Simon Elliston Ball <[email protected]> > <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > <[email protected]> <[email protected]> > *Date: *Tuesday, October 24, 2017 at 2:02 PM > *To: *"[email protected]" <[email protected]> > <[email protected]> <[email protected]> > *Subject: *Re: ask about profiler rule > > > > The profiler reads direct from the ingest stream, so sees data before it > gets to ES. > > > > The onlyif config you are asking about is a filter condition, so only data > which matches that expression will be considered by this particular > profile. > > > > The activedirectory example here assumes that you have a sensor setup from > something like active directory, that has fields called user.name and > event.type in. It will then count those failures per user.name. > > > > Simon > > > > On 24 Oct 2017, at 07:38, tkg_cangkul <[email protected]> wrote: > > > > Hi, > > anybody can explained to me this rule of profiler config please ? > > { > > "profile": "failed-logins", > > "foreach": "user.name", > > "onlyif": "source.type == 'activedirectory' and event.type == > 'failed_login'" > > "init": { "count": 0 }, > > "update": { "count" : "count + 1" }, > > "result": "count" > > } > > > > > what is "source.type == 'activedirectory' and event.type == > 'failed_login'" means? > does it means the profiler will read from ES index that have condition > source.type == 'activedirectory' . if yes, so i must index to ES first > where source type = activedirectory ? > > I've just read on Nick article here : > > https://www.slideshare.net/NickAllen4/apache-metron-profiler > > In the other rules config there are "source.type == 'yaf'" , "source.type > == 'bro'". What i know that "source.type == 'yaf'" & "source.type == 'bro'" > have indexed by default on metron. how about activedirectory? > > > Best Regards, > > > > >
