Hey Anil, do you use any kind of policies to prevent access by the metron user? Do you use Ranger to manage access policies?
The user running the Metron REST service (normally "metron") needs to have access to all collections. Check the (Ranger) audit log to see if access to the collections is denied/allowed. If you use Ranger + Solr with Metron you might run into a current Solr plugin bug. I've run into that a few weeks ago and provided a workaround here: https://community.hortonworks.com/articles/203326/searching-in-multiple-collections-in-one-query-wit.html Best, Stefan On Wed, Aug 22, 2018, 18:40 Anil Donthireddy <[email protected]> wrote: > Yes, necessary two fields are set properly as below > > > > "source.type.field" : "source.type", > > "threat.triage.score.field" : "threat.triage.score" > > > > > > *From:* Anand Subramanian [mailto:[email protected]] > *Sent:* Wednesday, August 22, 2018 10:07 PM > *To:* [email protected] > *Subject:* Re: Unable to see alerts in metron alert UI with solr > > > > Hey Anil, > > > > You might also want to check if the “source.type.field” is set to > “source.type” (and NOT source:type) in global config. > > > > See: > > > https://github.com/apache/metron/blob/master/metron-interface/metron-alerts/README.md#global-configuration-properties > > > > HTH, > > Anand > > > > *From: *Anil Donthireddy <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Wednesday, August 22, 2018 at 10:04 PM > *To: *"[email protected]" <[email protected]> > *Subject: *RE: Unable to see alerts in metron alert UI with solr > > > > Hi Stefan, > > > > I can see the events being written to solr collection. There are no issues > upto storing data to Solr. There are events which have is_alert=true. But > in the metron alerts UI I dint see any events. > > > > Thanks, > > Anil. > > > > *From:* Stefan Kupstaitis-Dunkler [mailto:[email protected] > <[email protected]>] > *Sent:* Wednesday, August 22, 2018 9:52 PM > *To:* [email protected] > *Subject:* Re: Unable to see alerts in metron alert UI with solr > > > > Hi Anil, > > > > The alerts UI just queries your Solr collections and displays them > > > > Things you could do: > > ? You could check the collection the event is supposed to be > directly > > ? If it’s not there you could check the Solr “error” collection. > > ? Use the Kafka console consumer and > > o check the parser topic (you define the name in the management ui) if > events are being written to it > > o check the “enrichments” topic if events are being written to it > > o check the “indexing” topic if events are being written to it. > > > > Hope that helps as a start. > > > > Best, > > Stefan > > > > > > > > > > *From: *Anil Donthireddy <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Wednesday, 22. August 2018 at 18:07 > *To: *"[email protected]" <[email protected]> > *Subject: *Unable to see alerts in metron alert UI with solr > > > > Hi, > > > > I have created a collection in solr for my source as documented in > metron-slor readme in git to enable solr and writing data to solr. I see > the data is being loaded to Solr for my new source and is_alert is set to > tru. But still I am not seeing any data in metron alerts UI. > > > > I checked the metron alerts UI logs, but could not find any error logs. I > am blocked to proceed further to display alerts in the metron alerts ui. > May I get any suggestions to debug the issue. > > > > Thanks, > > Anil. > -- Stefan Kupstaitis-Dunkler https://datahovel.com/ https://www.meetup.com/Hadoop-User-Group-Vienna/ https://twitter.com/StefanDunkler
