OK Nick,
I think i've succeed to do this.
i'm using logstash like what you suggest below and use JSONMap parser in
Metron to parse it.
Thank You so much for your help.
Have a nice day :)
On 24/10/17 22:14, Nick Allen wrote:
> Do you have any sample configuration or something like that to setup
activedirectory sensor?
I assuming you are not yet ingesting AD logs into Metron. There is not
currently something out-of-the-box for AD logs, but it should not be
too hard. Feel free to contribute as many example AD logs as you can
(after cleaning them of sensitive information) to either of these JIRAs.
https://issues.apache.org/jira/browse/METRON-1149
https://issues.apache.org/jira/browse/METRON-161
> i've trying many ways but it stills not succeed. that's because there
are so many format log on there. i wanna get the login status (failed,
success, logout, etc) with this profiler.
What have you tried? I assume you are still talking about parsing the
AD logs, which has nothing to do with the Profiler.
Just to level set, first step is to parse the AD logs and get them
into Metron. Then we can use that data in the Profiler.
> Is it possible to me include logstash into metron?
You can use Logstash to push data into Kafka. Metron would then
consume it from Kafka.
On Tue, Oct 24, 2017 at 4:59 AM, tkg_cangkul <[email protected]
<mailto:[email protected]>> wrote:
Do you have any sample configuration or something like that to
setup activedirectory sensor?
i've trying many ways but it stills not succeed.
that's because there are so many format log on there. i wanna get
the login status (failed, success, logout, etc) with this profiler.
Is it possible to me include logstash into metron?
On 24/10/17 15:50, Mohan Venkateshaiah wrote:
Hi,
The Profiler will consume messages from the input kafka topic
defined in the Profiler's configuration (see Configuring the
Profiler
<https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler#configuring-the-profiler>).
By default, this is the indexing topic.
Thanks
Mohan DV
*From: *Simon Elliston Ball <[email protected]>
<mailto:[email protected]>
*Reply-To: *"[email protected]"
<mailto:[email protected]> <[email protected]>
<mailto:[email protected]>
*Date: *Tuesday, October 24, 2017 at 2:02 PM
*To: *"[email protected]" <mailto:[email protected]>
<[email protected]> <mailto:[email protected]>
*Subject: *Re: ask about profiler rule
The profiler reads direct from the ingest stream, so sees data
before it gets to ES.
The onlyif config you are asking about is a filter condition, so
only data which matches that expression will be considered by
this particular profile.
The activedirectory example here assumes that you have a sensor
setup from something like active directory, that has fields
called user.name <http://user.name> and event.type in. It will
then count those failures per user.name <http://user.name>.
Simon
On 24 Oct 2017, at 07:38, tkg_cangkul <[email protected]
<mailto:[email protected]>> wrote:
Hi,
anybody can explained to me this rule of profiler config please ?
{
"profile": "failed-logins",
"foreach": "user.name <http://user.name/>",
"onlyif": "source.type == 'activedirectory' and
event.type == 'failed_login'"
"init": { "count": 0 },
"update": { "count" : "count + 1" },
"result": "count"
}
what is "source.type == 'activedirectory' and event.type ==
'failed_login'" means?
does it means the profiler will read from ES index that have
condition source.type == 'activedirectory' . if yes, so i
must index to ES first where source type = activedirectory ?
I've just read on Nick article here :
https://www.slideshare.net/NickAllen4/apache-metron-profiler
<https://www.slideshare.net/NickAllen4/apache-metron-profiler>
In the other rules config there are "source.type == 'yaf'" ,
"source.type == 'bro'". What i know that "source.type ==
'yaf'" & "source.type == 'bro'" have indexed by default on
metron. how about activedirectory?
Best Regards,
