You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Nick Allen (JIRA)" <ji...@apache.org> on 2019/04/23 19:57:00 UTC
[jira] [Assigned] (METRON-2065) Setting Parser Output Topic in
Sensor Config is broken
[ https://issues.apache.org/jira/browse/METRON-2065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Allen reassigned METRON-2065:
----------------------------------
Assignee: Ryan Merriman
> Setting Parser Output Topic in Sensor Config is broken
> ------------------------------------------------------
>
> Key: METRON-2065
> URL: https://issues.apache.org/jira/browse/METRON-2065
> Project: Metron
> Issue Type: Bug
> Reporter: Mohan
> Assignee: Ryan Merriman
> Priority: Major
> Attachments: Screen Shot 2019-04-05 at 7.45.36 PM.png
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Login to management console
> Edit the parser config Advanced > Raw JSON !Screen Shot 2019-04-05 at 7.45.36 PM.png!
> Change the output topic for the 'snort' sensor.
> Verify that the changes taken effect using stellar shell
> {code:java}
> [Stellar]>>> conf := CONFIG_GET("PARSER","snort") { "parserClassName" : "org.apache.metron.parsers.snort.BasicSnortParser", "sensorTopic" : "snort", "outputTopic" : "new-topic", "readMetadata" : false, "mergeMetadata" : false, "spoutParallelism" : 1, "spoutNumTasks" : 1, "parserParallelism" : 1, "parserNumTasks" : 1, "errorWriterParallelism" : 1, "errorWriterNumTasks" : 1, "spoutConfig" : { }, "stormConfig" : { }, "parserConfig" : { }, "fieldTransformations" : [ ], "cacheConfig" : { }, "rawMessageStrategy" : "DEFAULT", "rawMessageStrategyConfig" : { } }
> {code}
> publish the message to 'snort' topic
> I use the console consumer to validate output is being piped into "new_topic" and verified that no messages were sent to the topic
> {code:java}
> [metron@nat-r7-udos-metron-1 bin]$ ./kafka-console-consumer.sh --zookeeper $ZOOKEEPER --security-protocol PLAINTEXTSASL --topic new-topic
> Using the ConsoleConsumer with old consumer is deprecated and will be removed in a future major release. Consider using the new consumer by passing [bootstrap-server] instead of [zookeeper]. [2019-04-05 14:08:08,796] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn) [2019-04-05 14:08:09,005] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
> {code}
> where as I see that the messages were sent to "enrichments" topic
> {code:java}
> [metron@nat-r7-udos-metron-1 bin]$ ./kafka-console-consumer.sh --zookeeper $ZOOKEEPER --security-protocol PLAINTEXTSASL --topic enrichments
> Using the ConsoleConsumer with old consumer is deprecated and will be removed in a future major release. Consider using the new consumer by passing [bootstrap-server] instead of [zookeeper].
> [2019-04-05 14:10:18,930] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
> [2019-04-05 14:10:19,095] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
> {"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"11fb0141-9c45-4787-a9a4-ad725ed0318f","sig_id":"999158","sig_generator":"1"}
> {"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"5cd4082f-06aa-4c92-8c72-a5d9c775b5d4","sig_id":"999158","sig_generator":"1"}
> {"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"b0e60bcd-261a-41e6-924f-de8c903f4f57","sig_id":"999158","sig_generator":"1"}
> {"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"b29029b6-9b9d-4c5f-810c-2bd816126ffa","sig_id":"999158","sig_generator":"1"}
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)