You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by le...@apache.org on 2016/09/26 14:05:09 UTC
[6/7] incubator-metron git commit: METRON-427 Create Ambari
Management Pack for Metron Installation closes apache/incubator-metron#266
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/configuration/kibana-site.xml
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/configuration/kibana-site.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/configuration/kibana-site.xml
new file mode 100755
index 0000000..c546e2c
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/configuration/kibana-site.xml
@@ -0,0 +1,112 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <!-- kibana.yml -->
+ <property>
+ <name>content</name>
+ <display-name>kibana.yml template</display-name>
+ <description>This is the jinja template for kibana.yml file</description>
+ <value>
+# Kibana is served by a back end server. This controls which port to use.
+server.port: {{ kibana_port }}
+
+# The host to bind the server to.
+# server.host: "0.0.0.0"
+
+# If you are running kibana behind a proxy, and want to mount it at a path,
+# specify that path here. The basePath can't end in a slash.
+# server.basePath: ""
+
+# The maximum payload size in bytes on incoming server requests.
+# server.maxPayloadBytes: 1048576
+
+# The Elasticsearch instance to use for all your queries.
+elasticsearch.url: {{ es_url }}
+
+# preserve_elasticsearch_host true will send the hostname specified in `elasticsearch`. If you set it to false,
+# then the host you use to connect to *this* Kibana instance will be sent.
+# elasticsearch.preserveHost: true
+
+# Kibana uses an index in Elasticsearch to store saved searches, visualizations
+# and dashboards. It will create a new index if it doesn't already exist.
+# kibana.index: ".kibana"
+
+# The default application to load.
+# kibana.defaultAppId: "discover"
+
+# If your Elasticsearch is protected with basic auth, these are the user credentials
+# used by the Kibana server to perform maintenance on the kibana_index at startup. Your Kibana
+# users will still need to authenticate with Elasticsearch (which is proxied through
+# the Kibana server)
+# elasticsearch.username: "user"
+# elasticsearch.password: "pass"
+
+# SSL for outgoing requests from the Kibana Server to the browser (PEM formatted)
+# server.ssl.cert: /path/to/your/server.crt
+# server.ssl.key: /path/to/your/server.key
+
+# Optional setting to validate that your Elasticsearch backend uses the same key files (PEM formatted)
+# elasticsearch.ssl.cert: /path/to/your/client.crt
+# elasticsearch.ssl.key: /path/to/your/client.key
+
+# If you need to provide a CA certificate for your Elasticsearch instance, put
+# the path of the pem file here.
+# elasticsearch.ssl.ca: /path/to/your/CA.pem
+
+# Set to false to have a complete disregard for the validity of the SSL
+# certificate.
+# elasticsearch.ssl.verify: true
+
+# Time in milliseconds to wait for elasticsearch to respond to pings, defaults to
+# request_timeout setting
+# elasticsearch.pingTimeout: 1500
+
+# Time in milliseconds to wait for responses from the back end or elasticsearch.
+# This must be > 0
+# elasticsearch.requestTimeout: 30000
+
+# Time in milliseconds for Elasticsearch to wait for responses from shards.
+# Set to 0 to disable.
+# elasticsearch.shardTimeout: 0
+
+# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying
+# elasticsearch.startupTimeout: 5000
+
+# Set the path to where you would like the process id file to be created.
+# pid.file: /var/run/kibana.pid
+
+# If you would like to send the log output to a file you can set the path below.
+logging.dest: {{ log_dir }}/kibana.log
+
+# Set this to true to suppress all logging output.
+# logging.silent: false
+
+# Set this to true to suppress all logging output except for error messages.
+# logging.quiet: false
+
+# Set this to true to log all events, including system usage information and all requests.
+# logging.verbose: false
+ </value>
+ <value-attributes>
+ <type>content</type>
+ </value-attributes>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/metainfo.xml
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/metainfo.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/metainfo.xml
new file mode 100755
index 0000000..f59109c
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/metainfo.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<metainfo>
+ <schemaVersion>2.0</schemaVersion>
+ <services>
+ <service>
+ <name>KIBANA</name>
+ <displayName>Kibana</displayName>
+ <comment>Kibana Dashboard</comment>
+ <version>4.5.1</version>
+ <components>
+ <component>
+ <name>KIBANA_MASTER</name>
+ <displayName>Kibana Server</displayName>
+ <category>MASTER</category>
+ <cardinality>1</cardinality>
+ <commandScript>
+ <script>scripts/kibana_master.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>600</timeout>
+ </commandScript>
+ <customCommands>
+ <customCommand>
+ <name>LOAD_TEMPLATE</name>
+ <background>false</background>
+ <commandScript>
+ <script>scripts/kibana_master.py</script>
+ <scriptType>PYTHON</scriptType>
+ </commandScript>
+ </customCommand>
+ </customCommands>
+ </component>
+ </components>
+ <osSpecifics>
+ <osSpecific>
+ <osFamily>any</osFamily>
+ <packages>
+ <package>
+ <name>python-elasticsearch</name>
+ </package>
+ <package>
+ <name>kibana-4.5.1</name>
+ </package>
+ </packages>
+ </osSpecific>
+ </osSpecifics>
+ <configuration-dependencies>
+ <config-type>kibana-env</config-type>
+ <config-type>kibana-site</config-type>
+ </configuration-dependencies>
+ <restartRequiredAfterChange>true</restartRequiredAfterChange>
+ <quickLinksConfigurations>
+ <quickLinksConfiguration>
+ <fileName>quicklinks.json</fileName>
+ <default>true</default>
+ </quickLinksConfiguration>
+ </quickLinksConfigurations>
+ </service>
+ </services>
+</metainfo>
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/__init__.py
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/__init__.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/__init__.py
new file mode 100755
index 0000000..8d2bad8
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/__init__.py
@@ -0,0 +1,16 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboard.p
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboard.p b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboard.p
new file mode 100755
index 0000000..8327eb8
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboard.p
@@ -0,0 +1,1539 @@
+(lp1
+(dp2
+V_score
+p3
+F1
+sV_type
+p4
+Vvisualization
+p5
+sV_id
+p6
+VWeb-Request-Type
+p7
+sV_source
+p8
+(dp9
+VvisState
+p10
+V{"title":"Web Request Type","type":"pie","params":{"shareYAxis":true,"addTooltip":true,"addLegend":true,"isDonut":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"segment","params":{"field":"method","size":5,"order":"desc","orderBy":"1"}}],"listeners":{}}
+p11
+sVdescription
+p12
+V
+sVtitle
+p13
+VWeb Request Type
+p14
+sVuiStateJSON
+p15
+V{}
+p16
+sVversion
+p17
+I1
+sVsavedSearchId
+p18
+Vweb-search
+p19
+sVkibanaSavedObjectMeta
+p20
+(dp21
+VsearchSourceJSON
+p22
+V{"filter":[]}
+p23
+sssV_index
+p24
+V.kibana
+p25
+sa(dp26
+V_score
+p27
+F1
+sV_type
+p28
+Vvisualization
+p29
+sV_id
+p30
+VTop-Snort-Alerts-by-Source
+p31
+sV_source
+p32
+(dp33
+VvisState
+p34
+V{"title":"Top Snort Alerts by Source","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"ip_src_addr","size":10,"order":"desc","orderBy":"1","customLabel":"Source IP"}}],"listeners":{}}
+p35
+sVdescription
+p36
+V
+sVtitle
+p37
+VTop Snort Alerts by Source
+p38
+sVuiStateJSON
+p39
+V{}
+p40
+sVversion
+p41
+I1
+sVkibanaSavedObjectMeta
+p42
+(dp43
+VsearchSourceJSON
+p44
+V{"index":"snort*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p45
+sssV_index
+p46
+V.kibana
+p47
+sa(dp48
+V_score
+p49
+F1
+sV_type
+p50
+Vvisualization
+p51
+sV_id
+p52
+VWelcome
+p53
+sV_source
+p54
+(dp55
+VvisState
+p56
+V{"title":"Welcome to Apache Metron","type":"markdown","params":{"markdown":"This dashboard enables the validation of Apache Metron and the end-to-end functioning of its default sensor suite. The default sensor suite includes [Snort](https://www.snort.org/), [Bro](https://www.bro.org/), and [YAF](https://tools.netsa.cert.org/yaf/). One of Apache Metron's primary goals is to simplify the onboarding of additional sources of telemetry. In a production deployment these default sensors should be replaced with ones applicable to the target environment.\u005cn\u005cnApache Metron enables disparate sources of telemetry to all be viewed under a 'single pane of glass.' Telemetry from each of the default sensors can be searched, aggregated, summarized, and viewed within this dashboard. This dashboard should be used as a springboard upon which to create your own customized dashboards.\u005cn\u005cnThe panels below highlight the volume and variety of events that are currently being consumed
by Apache Metron."},"aggs":[],"listeners":{}}
+p57
+sVdescription
+p58
+V
+sVtitle
+p59
+VWelcome to Apache Metron
+p60
+sVuiStateJSON
+p61
+V{}
+p62
+sVversion
+p63
+I1
+sVkibanaSavedObjectMeta
+p64
+(dp65
+VsearchSourceJSON
+p66
+V{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"filter":[]}
+p67
+sssV_index
+p68
+V.kibana
+p69
+sa(dp70
+V_score
+p71
+F1
+sV_type
+p72
+Vsearch
+p73
+sV_id
+p74
+Vsnort-search
+p75
+sV_source
+p76
+(dp77
+Vsort
+p78
+(lp79
+Vtimestamp
+p80
+aVdesc
+p81
+asVhits
+p82
+I0
+sVdescription
+p83
+V
+sVtitle
+p84
+VSnort Alerts
+p85
+sVversion
+p86
+I1
+sVkibanaSavedObjectMeta
+p87
+(dp88
+VsearchSourceJSON
+p89
+V{"index":"snort*","query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"filter":[],"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"require_field_match":false,"fragment_size":2147483647}}
+p90
+ssVcolumns
+p91
+(lp92
+Vmsg
+p93
+aVsig_id
+p94
+aVip_src_addr
+p95
+aVip_src_port
+p96
+aVip_dst_addr
+p97
+aVip_dst_port
+p98
+assV_index
+p99
+V.kibana
+p100
+sa(dp101
+V_score
+p102
+F1
+sV_type
+p103
+Vsearch
+p104
+sV_id
+p105
+Vyaf-search
+p106
+sV_source
+p107
+(dp108
+Vsort
+p109
+(lp110
+Vtimestamp
+p111
+aVdesc
+p112
+asVhits
+p113
+I0
+sVdescription
+p114
+V
+sVtitle
+p115
+VYAF
+p116
+sVversion
+p117
+I1
+sVkibanaSavedObjectMeta
+p118
+(dp119
+VsearchSourceJSON
+p120
+V{"index":"yaf*","filter":[],"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"require_field_match":false,"fragment_size":2147483647},"query":{"query_string":{"query":"*","analyze_wildcard":true}}}
+p121
+ssVcolumns
+p122
+(lp123
+Vip_src_addr
+p124
+aVip_src_port
+p125
+aVip_dst_addr
+p126
+aVip_dst_port
+p127
+aVprotocol
+p128
+aVduration
+p129
+aVpkt
+p130
+assV_index
+p131
+V.kibana
+p132
+sa(dp133
+V_score
+p134
+F1
+sV_type
+p135
+Vconfig
+p136
+sV_id
+p137
+V4.5.1
+p138
+sV_source
+p139
+(dp140
+VbuildNum
+p141
+I9892
+sVdefaultIndex
+p142
+Vbro*
+p143
+ssV_index
+p144
+V.kibana
+p145
+sa(dp146
+V_score
+p147
+F1
+sV_type
+p148
+Vindex-pattern
+p149
+sV_id
+p150
+Vbro*
+p151
+sV_source
+p152
+(dp153
+Vfields
+p154
+V[{"name":"TTLs","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"qclass_name","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"bro_timestamp","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"enrichments:geo:ip_dst_addr:location_point","type":"geo_point","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"answers","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentjoinbolt:joiner:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:geoadapter:begin:ts","type":"date","count":1,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"resp_mime_types","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"prot
ocol","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"original_string","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"adapter:threatinteladapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"host","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:geoadapter:end:ts","type":"date","count":1,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"AA","type":"boolean","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"method","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentsplitterbolt:splitter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"query","type":"string","count":0,"s
cripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:city","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"rcode","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:hostfromjsonlistadapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"orig_mime_types","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"RA","type":"boolean","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"RD","type":"boolean","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"orig_fuids","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"proto","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false
,"doc_values":true},{"name":"adapter:threatinteladapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_source","type":"_source","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"enrichments:geo:ip_dst_addr:country","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"response_body_len","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:locID","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"qtype_name","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"status_code","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_index","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,
"doc_values":false},{"name":"ip_dst_port","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:dmaCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatinteljoinbolt:joiner:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"rejected","type":"boolean","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"qtype","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentsplitterbolt:splitter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"trans_id","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:latitude","type":"number","count":0,"scripted":false,"indexed":true,"ana
lyzed":false,"doc_values":true},{"name":"uid","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"source:type","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"trans_depth","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_dst_addr","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:hostfromjsonlistadapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"Z","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_src_addr","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatintelsplitterbolt:splitter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enr
ichments:geo:ip_dst_addr:longitude","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"user_agent","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"qclass","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"timestamp","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"resp_fuids","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"request_body_len","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:postalCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"uri","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"rcode_name","type":"string","coun
t":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"TC","type":"boolean","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"referrer","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_src_port","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"status_msg","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatintelsplitterbolt:splitter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_id","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_type","type":"string","count":1,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_score","type":"number","count":2,"scripted":false,"indexed":false,"analyzed":false,"doc_values":
false}]
+p155
+sVtimeFieldName
+p156
+Vtimestamp
+p157
+sVtitle
+p158
+Vbro*
+p159
+ssV_index
+p160
+V.kibana
+p161
+sa(dp162
+V_score
+p163
+F1
+sV_type
+p164
+Vvisualization
+p165
+sV_id
+p166
+VFlow-Duration
+p167
+sV_source
+p168
+(dp169
+VvisState
+p170
+V{"title":"Flow Duration","type":"area","params":{"shareYAxis":true,"addTooltip":true,"addLegend":true,"smoothLines":false,"scale":"linear","interpolate":"linear","mode":"stacked","times":[],"addTimeMarker":false,"defaultYExtents":false,"setYExtents":false,"yAxis":{}},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"histogram","schema":"segment","params":{"field":"duration","interval":10,"extended_bounds":{},"customLabel":"Flow Duration (seconds)"}}],"listeners":{}}
+p171
+sVdescription
+p172
+V
+sVtitle
+p173
+VFlow Duration
+p174
+sVuiStateJSON
+p175
+V{"vis":{"legendOpen":false}}
+p176
+sVversion
+p177
+I1
+sVkibanaSavedObjectMeta
+p178
+(dp179
+VsearchSourceJSON
+p180
+V{"index":"yaf*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p181
+sssV_index
+p182
+V.kibana
+p183
+sa(dp184
+V_score
+p185
+F1
+sV_type
+p186
+Vvisualization
+p187
+sV_id
+p188
+VEvents
+p189
+sV_source
+p190
+(dp191
+VvisState
+p192
+V{"title":"Events","type":"histogram","params":{"shareYAxis":true,"addTooltip":true,"addLegend":true,"scale":"linear","mode":"stacked","times":[],"addTimeMarker":false,"defaultYExtents":false,"setYExtents":false,"yAxis":{}},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"date_histogram","schema":"segment","params":{"field":"timestamp","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}},{"id":"3","type":"terms","schema":"group","params":{"field":"source:type","size":5,"order":"desc","orderBy":"1"}}],"listeners":{}}
+p193
+sVdescription
+p194
+V
+sVtitle
+p195
+VEvents
+p196
+sVuiStateJSON
+p197
+V{"vis":{"legendOpen":false}}
+p198
+sVversion
+p199
+I1
+sVkibanaSavedObjectMeta
+p200
+(dp201
+VsearchSourceJSON
+p202
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p203
+sssV_index
+p204
+V.kibana
+p205
+sa(dp206
+V_score
+p207
+F1
+sV_type
+p208
+Vvisualization
+p209
+sV_id
+p210
+VWeb-Request-Header
+p211
+sV_source
+p212
+(dp213
+VvisState
+p214
+V{"title":"Web Request Header","type":"markdown","params":{"markdown":"The [Bro Network Security Monitor](https://www.bro.org/) is extracting application-level information from raw network packets. In this example, Bro is extracting HTTP(S) requests being made over the network. "},"aggs":[],"listeners":{}}
+p215
+sVdescription
+p216
+V
+sVtitle
+p217
+VWeb Request Header
+p218
+sVuiStateJSON
+p219
+V{}
+p220
+sVversion
+p221
+I1
+sVkibanaSavedObjectMeta
+p222
+(dp223
+VsearchSourceJSON
+p224
+V{"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p225
+sssV_index
+p226
+V.kibana
+p227
+sa(dp228
+V_score
+p229
+F1
+sV_type
+p230
+Vvisualization
+p231
+sV_id
+p232
+VTop-Alerts-By-Host
+p233
+sV_source
+p234
+(dp235
+VvisState
+p236
+V{"title":"New Visualization","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"ip_src_addr","size":5,"order":"desc","orderBy":"1","customLabel":"Source"}},{"id":"3","type":"terms","schema":"bucket","params":{"field":"ip_dst_addr","size":5,"order":"desc","orderBy":"1","customLabel":"Destination"}}],"listeners":{}}
+p237
+sVdescription
+p238
+V
+sVtitle
+p239
+VTop Alerts By Host
+p240
+sVuiStateJSON
+p241
+V{}
+p242
+sVversion
+p243
+I1
+sVsavedSearchId
+p244
+Vsnort-search
+p245
+sVkibanaSavedObjectMeta
+p246
+(dp247
+VsearchSourceJSON
+p248
+V{"filter":[]}
+p249
+sssV_index
+p250
+V.kibana
+p251
+sa(dp252
+V_score
+p253
+F1
+sV_type
+p254
+Vvisualization
+p255
+sV_id
+p256
+VYAF-Flow(s)
+p257
+sV_source
+p258
+(dp259
+VvisState
+p260
+V{"title":"YAF Flows","type":"metric","params":{"handleNoResults":true,"fontSize":60},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}}],"listeners":{}}
+p261
+sVdescription
+p262
+V
+sVtitle
+p263
+VYAF Flows
+p264
+sVuiStateJSON
+p265
+V{}
+p266
+sVversion
+p267
+I1
+sVkibanaSavedObjectMeta
+p268
+(dp269
+VsearchSourceJSON
+p270
+V{"index":"yaf*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p271
+sssV_index
+p272
+V.kibana
+p273
+sa(dp274
+V_score
+p275
+F1
+sV_type
+p276
+Vvisualization
+p277
+sV_id
+p278
+VTop-DNS-Query
+p279
+sV_source
+p280
+(dp281
+VvisState
+p282
+V{"title":"Top DNS Query","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"query","size":10,"order":"desc","orderBy":"1"}}],"listeners":{}}
+p283
+sVdescription
+p284
+V
+sVtitle
+p285
+VTop DNS Query
+p286
+sVuiStateJSON
+p287
+V{}
+p288
+sVversion
+p289
+I1
+sVkibanaSavedObjectMeta
+p290
+(dp291
+VsearchSourceJSON
+p292
+V{"index":"bro*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p293
+sssV_index
+p294
+V.kibana
+p295
+sa(dp296
+V_score
+p297
+F1
+sV_type
+p298
+Vvisualization
+p299
+sV_id
+p300
+VTotal-Events
+p301
+sV_source
+p302
+(dp303
+VvisState
+p304
+V{"title":"Event Count","type":"metric","params":{"handleNoResults":true,"fontSize":60},"aggs":[{"id":"1","type":"count","schema":"metric","params":{"customLabel":"Events"}}],"listeners":{}}
+p305
+sVdescription
+p306
+V
+sVtitle
+p307
+VEvent Count
+p308
+sVuiStateJSON
+p309
+V{}
+p310
+sVversion
+p311
+I1
+sVkibanaSavedObjectMeta
+p312
+(dp313
+VsearchSourceJSON
+p314
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p315
+sssV_index
+p316
+V.kibana
+p317
+sa(dp318
+V_score
+p319
+F1
+sV_type
+p320
+Vvisualization
+p321
+sV_id
+p322
+VEvent-Types
+p323
+sV_source
+p324
+(dp325
+VvisState
+p326
+V{"title":"Event Sources","type":"pie","params":{"shareYAxis":true,"addTooltip":true,"addLegend":true,"isDonut":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"segment","params":{"field":"source:type","size":10,"order":"desc","orderBy":"1"}}],"listeners":{}}
+p327
+sVdescription
+p328
+V
+sVtitle
+p329
+VEvent Sources
+p330
+sVuiStateJSON
+p331
+V{}
+p332
+sVversion
+p333
+I1
+sVkibanaSavedObjectMeta
+p334
+(dp335
+VsearchSourceJSON
+p336
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p337
+sssV_index
+p338
+V.kibana
+p339
+sa(dp340
+V_score
+p341
+F1
+sV_type
+p342
+Vvisualization
+p343
+sV_id
+p344
+VUnique-Location(s)
+p345
+sV_source
+p346
+(dp347
+VvisState
+p348
+V{"title":"Geo-IP Locations","type":"metric","params":{"handleNoResults":true,"fontSize":60},"aggs":[{"id":"1","type":"cardinality","schema":"metric","params":{"field":"enrichments:geo:ip_src_addr:locID","customLabel":"Unique Location(s)"}}],"listeners":{}}
+p349
+sVdescription
+p350
+V
+sVtitle
+p351
+VGeo-IP Locations
+p352
+sVuiStateJSON
+p353
+V{}
+p354
+sVversion
+p355
+I1
+sVkibanaSavedObjectMeta
+p356
+(dp357
+VsearchSourceJSON
+p358
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p359
+sssV_index
+p360
+V.kibana
+p361
+sa(dp362
+V_score
+p363
+F1
+sV_type
+p364
+Vvisualization
+p365
+sV_id
+p366
+VSnort-Header
+p367
+sV_source
+p368
+(dp369
+VvisState
+p370
+V{"title":"Snort","type":"markdown","params":{"markdown":"[Snort](https://www.snort.org/) is a Network Intrusion Detection System (NIDS) that is being used to generate alerts identifying known bad events. Snort relies on a fixed set of rules that act as signatures for identifying abnormal events."},"aggs":[],"listeners":{}}
+p371
+sVdescription
+p372
+V
+sVtitle
+p373
+VSnort
+p374
+sVuiStateJSON
+p375
+V{}
+p376
+sVversion
+p377
+I1
+sVkibanaSavedObjectMeta
+p378
+(dp379
+VsearchSourceJSON
+p380
+V{"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p381
+sssV_index
+p382
+V.kibana
+p383
+sa(dp384
+V_score
+p385
+F1
+sV_type
+p386
+Vdashboard
+p387
+sV_id
+p388
+VMetron-Dashboard
+p389
+sV_source
+p390
+(dp391
+Vhits
+p392
+I0
+sVtimeRestore
+p393
+I00
+sVdescription
+p394
+V
+sVtitle
+p395
+VMetron Dashboard
+p396
+sVuiStateJSON
+p397
+V{"P-23":{"spy":{"mode":{"name":null,"fill":false}}},"P-34":{"vis":{"legendOpen":false}}}
+p398
+sVpanelsJSON
+p399
+V[{"col":1,"id":"Welcome","panelIndex":30,"row":1,"size_x":11,"size_y":2,"type":"visualization"},{"col":1,"id":"Total-Events","panelIndex":6,"row":3,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"id":"Events","panelIndex":16,"row":3,"size_x":8,"size_y":4,"type":"visualization"},{"col":1,"id":"Event-Types","panelIndex":15,"row":5,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"Location-Header","panelIndex":24,"row":7,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"Unique-Location(s)","panelIndex":23,"row":9,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"id":"Flow-Locations","panelIndex":32,"row":7,"size_x":8,"size_y":6,"type":"visualization"},{"col":1,"id":"Country","panelIndex":8,"row":11,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"YAF-Flows-Header","panelIndex":27,"row":13,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"YAF-Flow(s)","panelIndex":21,"row":15,"size_x":3,"size_y":2,"type":"visualization"},{"col"
:4,"columns":["ip_src_addr","ip_src_port","ip_dst_addr","ip_dst_port","protocol","duration","pkt"],"id":"yaf-search","panelIndex":20,"row":13,"size_x":8,"size_y":6,"sort":["duration","desc"],"type":"search"},{"col":1,"id":"Flow-Duration","panelIndex":31,"row":17,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"Snort-Header","panelIndex":25,"row":19,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"columns":["msg","sig_id","ip_src_addr","ip_src_port","ip_dst_addr","ip_dst_port"],"id":"snort-search","panelIndex":3,"row":19,"size_x":8,"size_y":6,"sort":["timestamp","desc"],"type":"search"},{"col":1,"id":"Snort-Alert-Types","panelIndex":10,"row":21,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"Top-Alerts-By-Host","panelIndex":19,"row":23,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"Web-Request-Header","panelIndex":26,"row":25,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"columns":["method","host","uri","referrer","user_agent","i
p_src_addr","ip_dst_addr"],"id":"web-search","panelIndex":4,"row":25,"size_x":8,"size_y":6,"sort":["timestamp","desc"],"type":"search"},{"col":1,"id":"HTTP(S)-Requests","panelIndex":17,"row":27,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"DNS-Requests-Header","panelIndex":29,"row":31,"size_x":3,"size_y":2,"type":"visualization"},{"col":4,"columns":["query","qtype_name","answers","ip_src_addr","ip_dst_addr"],"id":"dns-search","panelIndex":5,"row":31,"size_x":8,"size_y":6,"sort":["timestamp","desc"],"type":"search"},{"col":1,"id":"DNS-Request(s)","panelIndex":14,"row":33,"size_x":3,"size_y":2,"type":"visualization"},{"col":1,"id":"Web-Request-Type","panelIndex":33,"row":29,"size_x":3,"size_y":2,"type":"visualization"}]
+p400
+sVoptionsJSON
+p401
+V{"darkTheme":false}
+p402
+sVversion
+p403
+I1
+sVkibanaSavedObjectMeta
+p404
+(dp405
+VsearchSourceJSON
+p406
+V{"filter":[{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}}}]}
+p407
+sssV_index
+p408
+V.kibana
+p409
+sa(dp410
+V_score
+p411
+F1
+sV_type
+p412
+Vvisualization
+p413
+sV_id
+p414
+VSnort-Alert-Types
+p415
+sV_source
+p416
+(dp417
+VvisState
+p418
+V{"title":"Snort Alert Types","type":"metric","params":{"handleNoResults":true,"fontSize":60},"aggs":[{"id":"1","type":"cardinality","schema":"metric","params":{"field":"sig_id","customLabel":"Alert Type(s)"}}],"listeners":{}}
+p419
+sVdescription
+p420
+V
+sVtitle
+p421
+VSnort Alert Types
+p422
+sVuiStateJSON
+p423
+V{}
+p424
+sVversion
+p425
+I1
+sVkibanaSavedObjectMeta
+p426
+(dp427
+VsearchSourceJSON
+p428
+V{"index":"snort*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p429
+sssV_index
+p430
+V.kibana
+p431
+sa(dp432
+V_score
+p433
+F1
+sV_type
+p434
+Vvisualization
+p435
+sV_id
+p436
+VFrequent-DNS-Queries
+p437
+sV_source
+p438
+(dp439
+VvisState
+p440
+V{"title":"Frequent DNS Requests","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"query","size":5,"order":"desc","orderBy":"1"}}],"listeners":{}}
+p441
+sVdescription
+p442
+V
+sVtitle
+p443
+VFrequent DNS Requests
+p444
+sVuiStateJSON
+p445
+V{}
+p446
+sVversion
+p447
+I1
+sVkibanaSavedObjectMeta
+p448
+(dp449
+VsearchSourceJSON
+p450
+V{"index":"bro*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p451
+sssV_index
+p452
+V.kibana
+p453
+sa(dp454
+V_score
+p455
+F1
+sV_type
+p456
+Vvisualization
+p457
+sV_id
+p458
+VLocation-Header
+p459
+sV_source
+p460
+(dp461
+VvisState
+p462
+V{"title":"Enrichment","type":"markdown","params":{"markdown":"Apache Metron can perform real-time enrichment of telemetry data as it is consumed. To highlight this feature, all of the IP address fields collected from the default sensor suite were used to perform geo-ip lookups. This data was then used to pinpoint each location on the map."},"aggs":[],"listeners":{}}
+p463
+sVdescription
+p464
+V
+sVtitle
+p465
+VEnrichment
+p466
+sVuiStateJSON
+p467
+V{}
+p468
+sVversion
+p469
+I1
+sVkibanaSavedObjectMeta
+p470
+(dp471
+VsearchSourceJSON
+p472
+V{"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p473
+sssV_index
+p474
+V.kibana
+p475
+sa(dp476
+V_score
+p477
+F1
+sV_type
+p478
+Vsearch
+p479
+sV_id
+p480
+Vweb-search
+p481
+sV_source
+p482
+(dp483
+Vsort
+p484
+(lp485
+Vtimestamp
+p486
+aVdesc
+p487
+asVhits
+p488
+I0
+sVdescription
+p489
+V
+sVtitle
+p490
+VWeb Requests
+p491
+sVversion
+p492
+I1
+sVkibanaSavedObjectMeta
+p493
+(dp494
+VsearchSourceJSON
+p495
+V{"index":"bro*","query":{"query_string":{"query":"protocol: http OR protocol: https","analyze_wildcard":true}},"filter":[],"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"require_field_match":false,"fragment_size":2147483647}}
+p496
+ssVcolumns
+p497
+(lp498
+Vmethod
+p499
+aVhost
+p500
+aVuri
+p501
+aVreferrer
+p502
+aVip_src_addr
+p503
+aVip_dst_addr
+p504
+assV_index
+p505
+V.kibana
+p506
+sa(dp507
+V_score
+p508
+F1
+sV_type
+p509
+Vindex-pattern
+p510
+sV_id
+p511
+Vsnort*
+p512
+sV_source
+p513
+(dp514
+Vfields
+p515
+V[{"name":"msg","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"enrichments:geo:ip_dst_addr:location_point","type":"geo_point","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"dgmlen","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:longitude","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentjoinbolt:joiner:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:dmaCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:geoadapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"tcpack","type":"string","count":0,"scripted":false,"indexed":true,"analyze
d":true,"doc_values":false},{"name":"protocol","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:threatinteladapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:locID","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"original_string","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"adapter:geoadapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"id","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:location_point","type":"geo_point","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentsplitterbolt:splitter:end:ts","type":"date","count":0,"scr
ipted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:city","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:hostfromjsonlistadapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:postalCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ethlen","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threat:triage:level","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"tcpflags","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"adapter:threatinteladapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_source","type"
:"_source","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"enrichments:geo:ip_dst_addr:country","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:locID","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_index","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"ip_dst_port","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatinteljoinbolt:joiner:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:dmaCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"sig_rev","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"ethsrc
","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"tcpseq","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"enrichmentsplitterbolt:splitter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"tcpwindow","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"enrichments:geo:ip_dst_addr:latitude","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"source:type","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_dst_addr","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:hostfromjsonlistadapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"tos","type":"n
umber","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_src_addr","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatintelsplitterbolt:splitter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:latitude","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:longitude","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"timestamp","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ethdst","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:postalCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"
is_alert","type":"boolean","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:country","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ttl","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"iplen","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_src_port","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatintelsplitterbolt:splitter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"sig_id","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"sig_generator","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_src_addr:city","t
ype":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_id","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_type","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_score","type":"number","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false}]
+p516
+sVtimeFieldName
+p517
+Vtimestamp
+p518
+sVtitle
+p519
+Vsnort*
+p520
+ssV_index
+p521
+V.kibana
+p522
+sa(dp523
+V_score
+p524
+F1
+sV_type
+p525
+Vindex-pattern
+p526
+sV_id
+p527
+Vyaf*
+p528
+sV_source
+p529
+(dp530
+Vfields
+p531
+V[{"name":"enrichments:geo:ip_dst_addr:location_point","type":"geo_point","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"isn","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentjoinbolt:joiner:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"dip","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:geoadapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"dp","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"protocol","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"rpkt","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"original_string","type":"strin
g","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"adapter:threatinteladapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:geoadapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"tag","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"app","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"oct","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"end_reason","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"enrichmentsplitterbolt:splitter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:city","type":"string","count":0,"sc
ripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:hostfromjsonlistadapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"start_time","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"riflags","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"proto","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:threatinteladapter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_source","type":"_source","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"enrichments:geo:ip_dst_addr:country","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:locID","type":"string","
count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"iflags","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_index","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"ip_dst_port","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:dmaCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatinteljoinbolt:joiner:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"uflags","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichmentsplitterbolt:splitter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:latitude","type":
"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"duration","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"source:type","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_dst_addr","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"pkt","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"adapter:hostfromjsonlistadapter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ruflags","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"roct","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"sip","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_value
s":true},{"name":"sp","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_src_addr","type":"ip","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"rtag","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatintelsplitterbolt:splitter:end:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:longitude","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"timestamp","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"end-reason","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":true,"doc_values":false},{"name":"risn","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"end_time","type":"date","count"
:0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"enrichments:geo:ip_dst_addr:postalCode","type":"string","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"rtt","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"ip_src_port","type":"number","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"threatintelsplitterbolt:splitter:begin:ts","type":"date","count":0,"scripted":false,"indexed":true,"analyzed":false,"doc_values":true},{"name":"_id","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_type","type":"string","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false},{"name":"_score","type":"number","count":0,"scripted":false,"indexed":false,"analyzed":false,"doc_values":false}]
+p532
+sVtimeFieldName
+p533
+Vtimestamp
+p534
+sVtitle
+p535
+Vyaf*
+p536
+ssV_index
+p537
+V.kibana
+p538
+sa(dp539
+V_score
+p540
+F1
+sV_type
+p541
+Vvisualization
+p542
+sV_id
+p543
+VDNS-Request(s)
+p544
+sV_source
+p545
+(dp546
+VvisState
+p547
+V{"title":"DNS Requests","type":"metric","params":{"handleNoResults":true,"fontSize":60},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}}],"listeners":{}}
+p548
+sVdescription
+p549
+V
+sVtitle
+p550
+VDNS Requests
+p551
+sVuiStateJSON
+p552
+V{}
+p553
+sVversion
+p554
+I1
+sVsavedSearchId
+p555
+Vdns-search
+p556
+sVkibanaSavedObjectMeta
+p557
+(dp558
+VsearchSourceJSON
+p559
+V{"filter":[]}
+p560
+sssV_index
+p561
+V.kibana
+p562
+sa(dp563
+V_score
+p564
+F1
+sV_type
+p565
+Vvisualization
+p566
+sV_id
+p567
+VHTTP(S)-Requests
+p568
+sV_source
+p569
+(dp570
+VvisState
+p571
+V{"title":"Web Requests","type":"metric","params":{"handleNoResults":true,"fontSize":60},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}}],"listeners":{}}
+p572
+sVdescription
+p573
+V
+sVtitle
+p574
+VWeb Requests
+p575
+sVuiStateJSON
+p576
+V{}
+p577
+sVversion
+p578
+I1
+sVsavedSearchId
+p579
+Vweb-search
+p580
+sVkibanaSavedObjectMeta
+p581
+(dp582
+VsearchSourceJSON
+p583
+V{"filter":[]}
+p584
+sssV_index
+p585
+V.kibana
+p586
+sa(dp587
+V_score
+p588
+F1
+sV_type
+p589
+Vsearch
+p590
+sV_id
+p591
+Vdns-search
+p592
+sV_source
+p593
+(dp594
+Vsort
+p595
+(lp596
+Vtimestamp
+p597
+aVdesc
+p598
+asVhits
+p599
+I0
+sVdescription
+p600
+V
+sVtitle
+p601
+VDNS Requests
+p602
+sVversion
+p603
+I1
+sVkibanaSavedObjectMeta
+p604
+(dp605
+VsearchSourceJSON
+p606
+V{"index":"bro*","query":{"query_string":{"query":"protocol: dns","analyze_wildcard":true}},"filter":[],"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"require_field_match":false,"fragment_size":2147483647}}
+p607
+ssVcolumns
+p608
+(lp609
+Vquery
+p610
+aVqtype_name
+p611
+aVanswers
+p612
+aVip_src_addr
+p613
+aVip_dst_addr
+p614
+assV_index
+p615
+V.kibana
+p616
+sa(dp617
+V_score
+p618
+F1
+sV_type
+p619
+Vvisualization
+p620
+sV_id
+p621
+VFlow-Locations
+p622
+sV_source
+p623
+(dp624
+VvisState
+p625
+V{"title":"New Visualization","type":"tile_map","params":{"mapType":"Scaled Circle Markers","isDesaturated":true,"addTooltip":true,"heatMaxZoom":16,"heatMinOpacity":0.1,"heatRadius":25,"heatBlur":15,"heatNormalizeData":true,"wms":{"enabled":false,"url":"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer","options":{"version":"1.3.0","layers":"0","format":"image/png","transparent":true,"attribution":"Maps provided by USGS","styles":""}}},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"geohash_grid","schema":"segment","params":{"field":"enrichments:geo:ip_dst_addr:location_point","autoPrecision":true,"precision":2}}],"listeners":{}}
+p626
+sVdescription
+p627
+V
+sVtitle
+p628
+VFlow Locations
+p629
+sVuiStateJSON
+p630
+V{}
+p631
+sVversion
+p632
+I1
+sVkibanaSavedObjectMeta
+p633
+(dp634
+VsearchSourceJSON
+p635
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p636
+sssV_index
+p637
+V.kibana
+p638
+sa(dp639
+V_score
+p640
+F1
+sV_type
+p641
+Vvisualization
+p642
+sV_id
+p643
+VUnusual-Referrers
+p644
+sV_source
+p645
+(dp646
+VvisState
+p647
+V{"title":"Unusual Referrers","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"significant_terms","schema":"bucket","params":{"field":"referrer","size":5,"customLabel":"Top 5 Unusual Referrers"}}],"listeners":{}}
+p648
+sVdescription
+p649
+V
+sVtitle
+p650
+VUnusual Referrers
+p651
+sVuiStateJSON
+p652
+V{}
+p653
+sVversion
+p654
+I1
+sVsavedSearchId
+p655
+Vweb-search
+p656
+sVkibanaSavedObjectMeta
+p657
+(dp658
+VsearchSourceJSON
+p659
+V{"filter":[]}
+p660
+sssV_index
+p661
+V.kibana
+p662
+sa(dp663
+V_score
+p664
+F1
+sV_type
+p665
+Vvisualization
+p666
+sV_id
+p667
+VFrequent-DNS-Requests
+p668
+sV_source
+p669
+(dp670
+VvisState
+p671
+V{"title":"Frequent DNS Requests","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"query","size":5,"order":"desc","orderBy":"1","customLabel":"DNS Query"}}],"listeners":{}}
+p672
+sVdescription
+p673
+V
+sVtitle
+p674
+VFrequent DNS Requests
+p675
+sVuiStateJSON
+p676
+V{}
+p677
+sVversion
+p678
+I1
+sVkibanaSavedObjectMeta
+p679
+(dp680
+VsearchSourceJSON
+p681
+V{"index":"bro*","query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p682
+sssV_index
+p683
+V.kibana
+p684
+sa(dp685
+V_score
+p686
+F1
+sV_type
+p687
+Vvisualization
+p688
+sV_id
+p689
+VCountry
+p690
+sV_source
+p691
+(dp692
+VvisState
+p693
+V{"title":"By Country","type":"pie","params":{"shareYAxis":true,"addTooltip":true,"addLegend":true,"isDonut":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"segment","params":{"field":"enrichments:geo:ip_src_addr:country","size":5,"order":"desc","orderBy":"1"}}],"listeners":{}}
+p694
+sVdescription
+p695
+V
+sVtitle
+p696
+VBy Country
+p697
+sVuiStateJSON
+p698
+V{}
+p699
+sVversion
+p700
+I1
+sVkibanaSavedObjectMeta
+p701
+(dp702
+VsearchSourceJSON
+p703
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p704
+sssV_index
+p705
+V.kibana
+p706
+sa(dp707
+V_score
+p708
+F1
+sV_type
+p709
+Vvisualization
+p710
+sV_id
+p711
+VTop-Destinations
+p712
+sV_source
+p713
+(dp714
+VvisState
+p715
+V{"title":"Top Destinations","type":"table","params":{"perPage":10,"showPartialRows":false,"showMeticsAtAllLevels":false},"aggs":[{"id":"1","type":"count","schema":"metric","params":{}},{"id":"2","type":"terms","schema":"bucket","params":{"field":"ip_dst_addr","size":10,"order":"desc","orderBy":"1","customLabel":"Destination IP"}}],"listeners":{}}
+p716
+sVdescription
+p717
+V
+sVtitle
+p718
+VTop Destinations
+p719
+sVuiStateJSON
+p720
+V{}
+p721
+sVversion
+p722
+I1
+sVkibanaSavedObjectMeta
+p723
+(dp724
+VsearchSourceJSON
+p725
+V{"index":["yaf*", "bro*", "snort*"],"query":{"query_string":{"query":"*","analyze_wildcard":true}},"filter":[]}
+p726
+sssV_index
+p727
+V.kibana
+p728
+sa(dp729
+V_score
+p730
+F1
+sV_type
+p731
+Vvisualization
+p732
+sV_id
+p733
+VDNS-Requests-Header
+p734
+sV_source
+p735
+(dp736
+VvisState
+p737
+V{"aggs":[],"listeners":{},"params":{"markdown":"[Bro](https://www.bro.org/) is extracting DNS requests and responses being made over the network. Understanding who is making those requests, the frequency, and types can provide a deep understanding of the actors present on the network."},"title":"DNS Requests","type":"markdown"}
+p738
+sVdescription
+p739
+V
+sVtitle
+p740
+VDNS Requests
+p741
+sVuiStateJSON
+p742
+V{}
+p743
+sVversion
+p744
+I1
+sVkibanaSavedObjectMeta
+p745
+(dp746
+VsearchSourceJSON
+p747
+V{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"filter":[]}
+p748
+sssV_index
+p749
+V.kibana
+p750
+sa(dp751
+V_score
+p752
+F1
+sV_type
+p753
+Vvisualization
+p754
+sV_id
+p755
+VYAF-Flows-Header
+p756
+sV_source
+p757
+(dp758
+VvisState
+p759
+V{"title":"YAF","type":"markdown","params":{"markdown":"[YAF](https://tools.netsa.cert.org/yaf/yaf.html) can be used to generate Netflow-like flow records. These flow records provide significant visibility of the actors communicating over the target network."},"aggs":[],"listeners":{}}
+p760
+sVdescription
+p761
+V
+sVtitle
+p762
+VYAF
+p763
+sVuiStateJSON
+p764
+V{}
+p765
+sVversion
+p766
+I1
+sVkibanaSavedObjectMeta
+p767
+(dp768
+VsearchSourceJSON
+p769
+V{"query":{"query_string":{"analyze_wildcard":true,"query":"*"}},"filter":[]}
+p770
+sssV_index
+p771
+V.kibana
+p772
+sa.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboardindex.py
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboardindex.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboardindex.py
new file mode 100755
index 0000000..f0903ac
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/dashboard/dashboardindex.py
@@ -0,0 +1,95 @@
+#!/usr/bin/python
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from elasticsearch import Elasticsearch
+from elasticsearch.helpers import bulk
+import cPickle as pickle
+import argparse, sys, os.path
+import errno
+import os
+
+
+class DashboardIndex(object):
+
+ def __init__(self, host='localhost', port=9200, url_prefix='', timeout=10, **kwargs):
+ """
+ :arg host: hostname of the node (default: localhost)
+ :arg port: port to use (integer, default: 9200)
+ :arg url_prefix: optional url prefix for elasticsearch
+ :arg timeout: default timeout in seconds (float, default: 10)
+ """
+ self.es = Elasticsearch([{'host':host,'port': port, 'url_prefix': url_prefix, 'timeout':timeout}])
+
+ def get(self):
+ """
+ Get .kibana index from Elasticsearch
+ """
+ dotkibana = self.es.search(index='.kibana', size = 100)
+ return dotkibana['hits']['hits']
+
+ def load(self,filespec):
+ """
+ Save Index data on local filesystem
+ :args filespec: path/filename for saved file
+ """
+ data=[]
+ with open(filespec,'rb') as fp:
+ data = pickle.load(fp)
+ return data
+
+ def save(self,filename,data):
+ """
+ Save Index data on local filesystem
+ :args filespec: path/filename for saved file
+ """
+ with open(filename,'wb') as fp:
+ pickle.dump(data,fp)
+
+ def put(self,data):
+ """
+ Bulk write data to Elasticsearch
+ :args data: data to be written (note: index name is specified in data)
+ """
+ bulk(self.es,data)
+
+ def main(self,args):
+
+ if args.save:
+ print("running save with host:%s on port %d, filespec: %s" % (args.hostname, args.port, args.filespec))
+ self.save(filename=args.filespec,data=di.get())
+ else:
+ """
+ Loads Kibana Dashboard definition from disk and replaces .kibana on index
+ :args filespec: path/filename for saved file
+ """
+ if not os.path.isfile(args.filespec):
+ raise IOError(
+ errno.ENOENT, os.strerror(errno.ENOENT), args.filespec)
+ self.es.indices.delete(index='.kibana', ignore=[400, 404])
+ self.put(data=di.load(filespec=args.filespec))
+
+if __name__ == '__main__':
+
+ parser = argparse.ArgumentParser()
+ parser.add_argument("hostname", help="ES Hostname or IP", type=str)
+ parser.add_argument("port", help="ES Port", type=int)
+ parser.add_argument("filespec", help="file to be pushed from or saved to", type=str)
+ parser.add_argument("-s","--save", help="run in SAVE mode - .kibana will be read and saved to filespec",action="store_true")
+ args = parser.parse_args()
+ di = DashboardIndex(host=args.hostname,port=args.port)
+ di.main(args)
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/kibana_master.py
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/kibana_master.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/kibana_master.py
new file mode 100755
index 0000000..10e3a95
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/kibana_master.py
@@ -0,0 +1,137 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+kibana_master
+
+"""
+
+import errno
+import os
+
+from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl
+from resource_management.core.logger import Logger
+from resource_management.core.resources.system import Directory
+from resource_management.core.resources.system import Execute
+from resource_management.core.resources.system import File
+from resource_management.core.source import InlineTemplate
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.script import Script
+
+
+class Kibana(Script):
+ def install(self, env):
+ import params
+ env.set_params(params)
+
+ Logger.info("Install Kibana Master")
+
+ # TODO: Figure this out for all supported OSes
+ Execute('rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch')
+ Execute("echo \"[kibana-4.x]\n"
+ "name=Kibana repository for 4.5.x packages\n"
+ "baseurl=http://packages.elastic.co/kibana/4.5/centos\n"
+ "gpgcheck=1\n"
+ "gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch\n"
+ "enabled=1\" > /etc/yum.repos.d/kibana.repo")
+
+ self.install_packages(env)
+
+ def configure(self, env, upgrade_type=None, config_dir=None):
+ import params
+ env.set_params(params)
+
+ Logger.info("Configure Kibana for Metron")
+
+ directories = [params.log_dir, params.pid_dir, params.conf_dir]
+ Directory(directories,
+ # recursive=True,
+ mode=0755,
+ owner=params.kibana_user,
+ group=params.kibana_user
+ )
+
+ File("{}/kibana.yml".format(params.conf_dir),
+ owner=params.kibana_user,
+ content=InlineTemplate(params.kibana_yml_template)
+ )
+
+ def stop(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+
+ Logger.info("Stop Kibana Master")
+
+ Execute("service kibana stop")
+
+ def start(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+
+ self.configure(env)
+
+ Logger.info("Start the Master")
+
+ Execute("service kibana start")
+
+ def restart(self, env):
+ import params
+ env.set_params(params)
+
+ self.configure(env)
+
+ Logger.info("Restarting the Master")
+
+ Execute("service kibana restart")
+
+ def status(self, env):
+ import params
+ env.set_params(params)
+
+ Logger.info("Status of the Master")
+
+ Execute("service kibana status")
+
+ @OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT)
+ def load_template(self, env):
+ from dashboard.dashboardindex import DashboardIndex
+
+ import params
+ env.set_params(params)
+
+ hostname = format("{es_host}")
+ port = int(format("{es_port}"))
+
+ Logger.info("Connecting to Elasticsearch on host: %s, port: %s" % (hostname, port))
+ di = DashboardIndex(host=hostname, port=port)
+
+ # Loads Kibana Dashboard definition from disk and replaces .kibana on index
+ templateFile = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'dashboard', 'dashboard.p')
+ if not os.path.isfile(templateFile):
+ raise IOError(
+ errno.ENOENT, os.strerror(errno.ENOENT), templateFile)
+
+ Logger.info("Deleting .kibana index from Elasticsearch")
+
+ di.es.indices.delete(index='.kibana', ignore=[400, 404])
+
+ Logger.info("Loading .kibana index from %s" % templateFile)
+
+ di.put(data=di.load(filespec=templateFile))
+
+
+if __name__ == "__main__":
+ Kibana().execute()
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/params.py b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/params.py
new file mode 100755
index 0000000..ef1e597
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/package/scripts/params.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Kibana Params configurations
+
+"""
+
+from urlparse import urlparse
+
+from resource_management.libraries.functions import format
+from resource_management.libraries.script import Script
+
+# server configurations
+config = Script.get_config()
+
+kibana_home = '/usr/share/kibana/'
+kibana_bin = '/usr/share/kibana/bin/'
+
+conf_dir = "/opt/kibana/config/"
+kibana_user = config['configurations']['kibana-env']['kibana_user']
+user_group = config['configurations']['kibana-env']['user_group']
+log_dir = config['configurations']['kibana-env']['kibana_log_dir']
+pid_dir = config['configurations']['kibana-env']['kibana_pid_dir']
+pid_file = format("{pid_dir}/kibanasearch.pid")
+es_url = config['configurations']['kibana-env']['kibana_es_url']
+parsed = urlparse(es_url)
+es_host = parsed.netloc.split(':')[0]
+es_port = parsed.netloc.split(':')[1]
+kibana_port = config['configurations']['kibana-env']['kibana_server_port']
+hostname = config['hostname']
+java64_home = config['hostLevelParams']['java_home']
+kibana_yml_template = config['configurations']['kibana-site']['content']
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/quicklinks/quicklinks.json
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/quicklinks/quicklinks.json b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/quicklinks/quicklinks.json
new file mode 100755
index 0000000..448e102
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/KIBANA/4.5.1/quicklinks/quicklinks.json
@@ -0,0 +1,28 @@
+{
+ "name": "default",
+ "description": "default quick links configuration",
+ "configuration": {
+ "protocol":
+ {
+ "type":"HTTP_ONLY"
+ },
+
+ "links": [
+ {
+ "name": "metron_ui",
+ "label": "Metron UI",
+ "requires_user_name": "false",
+ "component_name": "KIBANA_MASTER",
+ "url":"%@://%@:%@/",
+ "port":{
+ "http_property": "kibana_server_port",
+ "http_default_port": "5601",
+ "https_property": "kibana_server_port",
+ "https_default_port": "5601",
+ "regex": "^(\\d+)$",
+ "site": "kibana-env"
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/125dbef1/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/0.2.0BETA/configuration/metron-env.xml
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/0.2.0BETA/configuration/metron-env.xml b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/0.2.0BETA/configuration/metron-env.xml
new file mode 100644
index 0000000..30f9f76
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/0.2.0BETA/configuration/metron-env.xml
@@ -0,0 +1,174 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration supports_final="true">
+ <property>
+ <name>metron_home</name>
+ <value>/usr/metron/0.2.0BETA</value>
+ <description>Metron home directory</description>
+ <display-name>Metron home</display-name>
+ </property>
+ <property>
+ <name>metron_apps_hdfs_dir</name>
+ <value>/apps/metron</value>
+ <description>Metron apps HDFS dir</description>
+ <display-name>Metron apps HDFS dir</display-name>
+ </property>
+ <property>
+ <name>metron_zookeeper_config_dir</name>
+ <value>config/zookeeper</value>
+ <description>Metron Zookeeper config dir. Relative path to Metron home.</description>
+ <display-name>Metron Zookeeper config dir</display-name>
+ </property>
+ <property>
+ <name>metron_user</name>
+ <value>metron</value>
+ <property-type>USER</property-type>
+ <description>The user for Metron</description>
+ <display-name>Metron User</display-name>
+ </property>
+ <property>
+ <name>metron_group</name>
+ <value>metron</value>
+ <property-type>GROUP</property-type>
+ <description>The group for Metron</description>
+ </property>
+ <property>
+ <name>metron_topic_retention</name>
+ <description>Kafka Retention in GB</description>
+ <value>10</value>
+ </property>
+ <property>
+ <name>parsers</name>
+ <value>bro,snort,yaf</value>
+ <description>Metron parsers to deploy</description>
+ <display-name>Metron parsers</display-name>
+ </property>
+ <property>
+ <name>metron_enrichment_db_user</name>
+ <value>metron</value>
+ <description>Database username to use to connect to the database.</description>
+ </property>
+ <property>
+ <name>metron_enrichment_db_port</name>
+ <value>3306</value>
+ <description>Database port to use to connect to the database.</description>
+ </property>
+ <property>
+ <name>metron_enrichment_db_password</name>
+ <value></value>
+ <property-type>PASSWORD</property-type>
+ <display-name>Metron Enrichment Database Password</display-name>
+ <description>Password to use against database</description>
+ <value-attributes>
+ <type>password</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>metron_indexing_topology</name>
+ <value>indexing</value>
+ <description>The Storm topology name for Indexing</description>
+ </property>
+ <property>
+ <name>es_cluster_name</name>
+ <value>metron</value>
+ <description>Name of Elasticsearch Cluster</description>
+ </property>
+ <property>
+ <name>geoip_url</name>
+ <value>http://geolite.maxmind.com/download/geoip/database/GeoLiteCity_CSV/GeoLiteCity-latest.tar.xz</value>
+ <description>Location of the GeoIP data to load.</description>
+ </property>
+ <property require-input="true">
+ <name>es_url</name>
+ <value></value>
+ <description>Comma delimited list of Elasticsearch URLs. (eshost1:9300,eshost2:9300)</description>
+ </property>
+ <property>
+ <name>storm_rest_addr</name>
+ <!--<value-attributes>-->
+ <!--<editable-only-at-install>true</editable-only-at-install>-->
+ <!--<overridable>false</overridable>-->
+ <!--</value-attributes>-->
+ <value></value>
+ </property>
+ <property>
+ <name>global-json</name>
+ <display-name>global.json template</display-name>
+ <description>This is the jinja template for global.json file</description>
+ <value>
+{
+"es.clustername": "{{ es_cluster_name }}",
+"es.ip": "{{ es_url }}",
+"es.date.format": "yyyy.MM.dd.HH"
+}
+ </value>
+ <value-attributes>
+ <type>content</type>
+ </value-attributes>
+ </property>
+ <property>
+ <name>elasticsearch-properties</name>
+ <description>The template for the elasticsearch.properties file.</description>
+ <display-name>elasticsearch.properties template</display-name>
+ <value>
+##### Storm #####
+indexing.workers=1
+indexing.executors=0
+##### Kafka #####
+kafka.zk={{ zookeeper_quorum }}
+kafka.broker={{ kafka_brokers }}
+kafka.start=WHERE_I_LEFT_OFF
+##### Indexing #####
+index.input.topic=indexing
+index.error.topic=indexing_error
+writer.class.name=org.apache.metron.elasticsearch.writer.ElasticsearchWriter
+##### Metrics #####
+#reporters
+org.apache.metron.metrics.reporter.graphite=true
+org.apache.metron.metrics.reporter.console=false
+org.apache.metron.metrics.reporter.jmx=false
+#Graphite Addresses
+org.apache.metron.metrics.graphite.address=localhost
+org.apache.metron.metrics.graphite.port=2023
+#TelemetryParserBolt
+org.apache.metron.metrics.TelemetryParserBolt.acks=true
+org.apache.metron.metrics.TelemetryParserBolt.emits=true
+org.apache.metron.metrics.TelemetryParserBolt.fails=true
+##### HDFS #####
+bolt.hdfs.batch.size=5000
+bolt.hdfs.field.delimiter=|
+bolt.hdfs.rotation.policy=org.apache.storm.hdfs.bolt.rotation.TimedRotationPolicy
+bolt.hdfs.rotation.policy.units=DAYS
+bolt.hdfs.rotation.policy.count=1
+bolt.hdfs.file.rotation.size.in.mb=5
+bolt.hdfs.file.system.url={{ default_fs }}
+bolt.hdfs.wip.file.path=/paloalto/wip
+bolt.hdfs.finished.file.path=/paloalto/rotated
+bolt.hdfs.compression.codec.class=org.apache.hadoop.io.compress.SnappyCodec
+index.hdfs.output=/tmp/metron/enriched
+ </value>
+ <value-attributes>
+ <type>content</type>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+</configuration>