metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zeolla@GMail.com" <zeo...@gmail.com>
Subject Re: [DISCUSS] Bro Zeppelin dashboards
Date Wed, 01 Mar 2017 13:30:29 GMT
Are you assuming only Conn, DNS, and HTTP logs from Bro?  Right now I think
that's all that is supported by default.  I put something together
<https://github.com/JonZeolla/incubator-metron/commit/736cc39525f9f08f6e781faea2610e893327e74c>
a few months ago to handle all of the default-on Bro logs/fields (METRON-508
<https://issues.apache.org/jira/browse/METRON-508>), but haven't had a
chance to test and make a PR.

Jon

On Wed, Mar 1, 2017 at 8:21 AM Justin Leet <justinjleet@gmail.com> wrote:

> Similar to the YAF dashboard from https://issues.apache.
> org/jira/browse/METRON-676, it would be nice to have a similar Zeppelin
> dashboard for Bro.
>
> Couple topics we can include
>
>    - Number of total queries per hour
>    - Geo-location frequency
>    - Top sites requests vs non-top requests
>
> The Alexa requests tie in with https://issues.apache.
> org/jira/browse/METRON-709, specifically the part about modifying Bro
> configs to use the data.  There's been some discussion on where that lives
> and how it's managed, so we won't be able to do much with it right now.
>
> Is there anything else we'd consider essential in our first pass?  Or
> anything we'd like to iterate on in the future? I'm not an expert in how
> Bro data actually looks in practice, so I'd love to get some input on
> features that would be nice to have.
>
> For these types of dashboards, there's also the question of, using top
> sites as an example, of "If this user doesn't have top sites data, is there
> anything we can do in Zeppelin about hiding or not displaying that
> paragraph?". I don't believe there's a built in way to handle that (but
> again, I could be wrong), so it might involve being a bit more verbose in
> what we actually do in the paragraphs.
>
> Justin
>
-- 

Jon

Sent from my mobile device

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message