You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@metron.apache.org by David McGinnis <mc...@avalonconsult.com> on 2018/03/01 15:46:15 UTC
Alerts Not Being Generated?
All,
I am following the instructions located here for creating a parser which
detects user logins distant from their recent logins, and raising alarms:
https://github.com/apache/metron/tree/master/use-cases/geographic_login_outliers.
I have been able to successfully see the data show up in Kibana, including
the is_alarm field, which shows true when distant logins are reported, and
null or empty otherwise (I believe this is the correct behavior?).
The issue I'm having is that none of these distant logins are reported in
the Alarms UI. I have made the condition the same as the one I'm using for
is_alarm, and also used conditions that should always be true, but the only
alarms that show up are alarms from some sample Bro data that I can pass
through the system and see alerts for.
Any ideas for how I can get alarms to show up correctly in the UI, or where
else I can check? I am not very familiar with the process of going from
enrichments to alerts UI at this point.
Thanks!
--
David McGinnis
Staff Hadoop Consultant | Avalon Consulting, LLC
<http://www.avalonconsult.com/>M: (513) 439-0082
LinkedIn <http://www.linkedin.com/company/avalon-consulting-llc> | Google+
<http://www.google.com/+AvalonConsultingLLC> | Twitter
<https://twitter.com/avalonconsult>
-------------------------------------------------------------------------------------------------------------
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
Re: Alerts Not Being Generated?
Posted by David McGinnis <mc...@avalonconsult.com>.
Correct, sorry about the confusion.
Thank you very much for this example. Using this, I was able to get the use
case working. There actually was no template in ES available (or custom
indexing logic even), so I had to use the one you pointed me to, and add
indexing logic to point to that index instead of the default auth index.
Everything appears to be working now correctly.
On Thu, Mar 1, 2018 at 9:58 AM, Simon Elliston Ball <
simon@simonellistonball.com> wrote:
> Hi David,
>
> One quick thing just in case, is_alert, not is_alarm.
>
> That said that should not affect what’s in the alerts ui. You should see
> data from your geo source as well (whatever you called it). It is possible
> there may be a problem with your elastic template. You might be interested
> in https://github.com/simonellistonball/metron-
> field-demos/blob/master/geo/es.json which is based on the use case. Note
> that there is a field in there: { alert: { type: nested } } this is
> necessary for the Alerts UI and specifically the meta alerts capability.
>
> Note that you may also need to reload your alerts ui, and possibly restart
> the REST service to pickup new index types in the alerts ui, there may be
> issues with caching.
>
> Simon
>
>
> On 1 Mar 2018, at 15:46, David McGinnis <mc...@avalonconsult.com>
> wrote:
>
> All,
>
> I am following the instructions located here for creating a parser which
> detects user logins distant from their recent logins, and raising alarms:
> https://github.com/apache/metron/tree/master/use-cases/
> geographic_login_outliers. I have been able to successfully see the data
> show up in Kibana, including the is_alarm field, which shows true when
> distant logins are reported, and null or empty otherwise (I believe this is
> the correct behavior?).
>
> The issue I'm having is that none of these distant logins are reported in
> the Alarms UI. I have made the condition the same as the one I'm using for
> is_alarm, and also used conditions that should always be true, but the only
> alarms that show up are alarms from some sample Bro data that I can pass
> through the system and see alerts for.
>
> Any ideas for how I can get alarms to show up correctly in the UI, or
> where else I can check? I am not very familiar with the process of going
> from enrichments to alerts UI at this point.
>
> Thanks!
>
> --
> David McGinnis
> Staff Hadoop Consultant | Avalon Consulting, LLC
> <http://www.avalonconsult.com/>M: (513) 439-0082
> LinkedIn <http://www.linkedin.com/company/avalon-consulting-llc> | Google+
> <http://www.google.com/+AvalonConsultingLLC> | Twitter
> <https://twitter.com/avalonconsult>
> ------------------------------------------------------------
> -------------------------------------------------
> This message (including any attachments) contains confidential information
> intended for a specific individual and purpose, and is protected by law.
> If
> you are not the intended recipient, you should delete this message. Any
> disclosure, copying, or distribution of this message, or the taking of any
> action based on it, is strictly prohibited.
>
>
>
--
David McGinnis
Staff Hadoop Consultant | Avalon Consulting, LLC
<http://www.avalonconsult.com/>M: (513) 439-0082
LinkedIn <http://www.linkedin.com/company/avalon-consulting-llc> | Google+
<http://www.google.com/+AvalonConsultingLLC> | Twitter
<https://twitter.com/avalonconsult>
-------------------------------------------------------------------------------------------------------------
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
Re: Alerts Not Being Generated?
Posted by Simon Elliston Ball <si...@simonellistonball.com>.
Hi David,
One quick thing just in case, is_alert, not is_alarm.
That said that should not affect what’s in the alerts ui. You should see data from your geo source as well (whatever you called it). It is possible there may be a problem with your elastic template. You might be interested in https://github.com/simonellistonball/metron-field-demos/blob/master/geo/es.json <https://github.com/simonellistonball/metron-field-demos/blob/master/geo/es.json> which is based on the use case. Note that there is a field in there: { alert: { type: nested } } this is necessary for the Alerts UI and specifically the meta alerts capability.
Note that you may also need to reload your alerts ui, and possibly restart the REST service to pickup new index types in the alerts ui, there may be issues with caching.
Simon
> On 1 Mar 2018, at 15:46, David McGinnis <mc...@avalonconsult.com> wrote:
>
> All,
>
> I am following the instructions located here for creating a parser which detects user logins distant from their recent logins, and raising alarms: https://github.com/apache/metron/tree/master/use-cases/geographic_login_outliers <https://github.com/apache/metron/tree/master/use-cases/geographic_login_outliers>. I have been able to successfully see the data show up in Kibana, including the is_alarm field, which shows true when distant logins are reported, and null or empty otherwise (I believe this is the correct behavior?).
>
> The issue I'm having is that none of these distant logins are reported in the Alarms UI. I have made the condition the same as the one I'm using for is_alarm, and also used conditions that should always be true, but the only alarms that show up are alarms from some sample Bro data that I can pass through the system and see alerts for.
>
> Any ideas for how I can get alarms to show up correctly in the UI, or where else I can check? I am not very familiar with the process of going from enrichments to alerts UI at this point.
>
> Thanks!
>
> --
> David McGinnis
> Staff Hadoop Consultant | Avalon Consulting, LLC
> <http://www.avalonconsult.com/>M: (513) 439-0082
> LinkedIn <http://www.linkedin.com/company/avalon-consulting-llc> | Google+ <http://www.google.com/+AvalonConsultingLLC> | Twitter <https://twitter.com/avalonconsult>
> -------------------------------------------------------------------------------------------------------------
> This message (including any attachments) contains confidential information
> intended for a specific individual and purpose, and is protected by law. If
> you are not the intended recipient, you should delete this message. Any
> disclosure, copying, or distribution of this message, or the taking of any
> action based on it, is strictly prohibited.