Glad to hear that.
On Tue, Oct 24, 2017 at 3:04 PM, tkg_cangkul <[email protected]> wrote: > OK Nick, > > I think i've succeed to do this. > i'm using logstash like what you suggest below and use JSONMap parser in > Metron to parse it. > > Thank You so much for your help. > Have a nice day :) > > > On 24/10/17 22:14, Nick Allen wrote: > > > Do you have any sample configuration or something like that to setup > activedirectory sensor? > > I assuming you are not yet ingesting AD logs into Metron. There is not > currently something out-of-the-box for AD logs, but it should not be too > hard. Feel free to contribute as many example AD logs as you can (after > cleaning them of sensitive information) to either of these JIRAs. > > https://issues.apache.org/jira/browse/METRON-1149 > https://issues.apache.org/jira/browse/METRON-161 > > > > i've trying many ways but it stills not succeed. that's because there > are so many format log on there. i wanna get the login status (failed, > success, logout, etc) with this profiler. > > What have you tried? I assume you are still talking about parsing the AD > logs, which has nothing to do with the Profiler. > > Just to level set, first step is to parse the AD logs and get them into > Metron. Then we can use that data in the Profiler. > > > > Is it possible to me include logstash into metron? > > You can use Logstash to push data into Kafka. Metron would then consume > it from Kafka. > > > > > On Tue, Oct 24, 2017 at 4:59 AM, tkg_cangkul <[email protected]> > wrote: > >> Do you have any sample configuration or something like that to setup >> activedirectory sensor? >> i've trying many ways but it stills not succeed. >> that's because there are so many format log on there. i wanna get the >> login status (failed, success, logout, etc) with this profiler. >> Is it possible to me include logstash into metron? >> >> >> On 24/10/17 15:50, Mohan Venkateshaiah wrote: >> >> Hi, >> >> >> >> The Profiler will consume messages from the input kafka topic defined in >> the Profiler's configuration (see Configuring the Profiler >> <https://github.com/apache/metron/tree/master/metron-analytics/metron-profiler#configuring-the-profiler>). >> By default, this is the indexing topic. >> >> >> >> Thanks >> >> Mohan DV >> >> >> >> *From: *Simon Elliston Ball <[email protected]> >> <[email protected]> >> *Reply-To: *"[email protected]" <[email protected]> >> <[email protected]> <[email protected]> >> *Date: *Tuesday, October 24, 2017 at 2:02 PM >> *To: *"[email protected]" <[email protected]> >> <[email protected]> <[email protected]> >> *Subject: *Re: ask about profiler rule >> >> >> >> The profiler reads direct from the ingest stream, so sees data before it >> gets to ES. >> >> >> >> The onlyif config you are asking about is a filter condition, so only >> data which matches that expression will be considered by this particular >> profile. >> >> >> >> The activedirectory example here assumes that you have a sensor setup >> from something like active directory, that has fields called user.name >> and event.type in. It will then count those failures per user.name. >> >> >> >> Simon >> >> >> >> On 24 Oct 2017, at 07:38, tkg_cangkul <[email protected]> wrote: >> >> >> >> Hi, >> >> anybody can explained to me this rule of profiler config please ? >> >> { >> >> "profile": "failed-logins", >> >> "foreach": "user.name", >> >> "onlyif": "source.type == 'activedirectory' and event.type == >> 'failed_login'" >> >> "init": { "count": 0 }, >> >> "update": { "count" : "count + 1" }, >> >> "result": "count" >> >> } >> >> >> >> >> what is "source.type == 'activedirectory' and event.type == >> 'failed_login'" means? >> does it means the profiler will read from ES index that have condition >> source.type == 'activedirectory' . if yes, so i must index to ES first >> where source type = activedirectory ? >> >> I've just read on Nick article here : >> >> https://www.slideshare.net/NickAllen4/apache-metron-profiler >> >> In the other rules config there are "source.type == 'yaf'" , >> "source.type == 'bro'". What i know that "source.type == 'yaf'" & >> "source.type == 'bro'" have indexed by default on metron. how about >> activedirectory? >> >> >> Best Regards, >> >> >> >> >> > >
