metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohan (JIRA)" <j...@apache.org>
Subject [jira] [Created] (METRON-2065) Setting Parser Output Topic in Sensor Config is broken
Date Mon, 08 Apr 2019 06:43:00 GMT
Mohan created METRON-2065:
-----------------------------

             Summary: Setting Parser Output Topic in Sensor Config is broken
                 Key: METRON-2065
                 URL: https://issues.apache.org/jira/browse/METRON-2065
             Project: Metron
          Issue Type: Bug
            Reporter: Mohan
         Attachments: Screen Shot 2019-04-05 at 7.45.36 PM.png

Login to management console 

Edit the parser config Advanced > Raw JSON  !Screen Shot 2019-04-05 at 7.45.36 PM.png!


Change the output topic for the 'snort' sensor.

Verify that the changes taken effect using stellar shell 
{code:java}
[Stellar]>>> conf := CONFIG_GET("PARSER","snort") { "parserClassName" : "org.apache.metron.parsers.snort.BasicSnortParser",
"sensorTopic" : "snort", "outputTopic" : "new-topic", "readMetadata" : false, "mergeMetadata"
: false, "spoutParallelism" : 1, "spoutNumTasks" : 1, "parserParallelism" : 1, "parserNumTasks"
: 1, "errorWriterParallelism" : 1, "errorWriterNumTasks" : 1, "spoutConfig" : { }, "stormConfig"
: { }, "parserConfig" : { }, "fieldTransformations" : [ ], "cacheConfig" : { }, "rawMessageStrategy"
: "DEFAULT", "rawMessageStrategyConfig" : { } }
{code}
publish the message to 'snort' topic

I use the console consumer to validate output is being piped into "new_topic" and verified
that no messages were sent to the topic 
{code:java}
[metron@nat-r7-udos-metron-1 bin]$ ./kafka-console-consumer.sh --zookeeper $ZOOKEEPER --security-protocol
PLAINTEXTSASL --topic new-topic 
Using the ConsoleConsumer with old consumer is deprecated and will be removed in a future
major release. Consider using the new consumer by passing [bootstrap-server] instead of [zookeeper].
[2019-04-05 14:08:08,796] WARN SASL configuration failed: javax.security.auth.login.LoginException:
No JAAS configuration section named 'Client' was found in specified JAAS configuration file:
'/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to
Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
[2019-04-05 14:08:09,005] WARN SASL configuration failed: javax.security.auth.login.LoginException:
No JAAS configuration section named 'Client' was found in specified JAAS configuration file:
'/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to
Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
{code}
where as I see that the messages were sent to "enrichments" topic
{code:java}
[metron@nat-r7-udos-metron-1 bin]$ ./kafka-console-consumer.sh --zookeeper $ZOOKEEPER --security-protocol
PLAINTEXTSASL --topic enrichments
Using the ConsoleConsumer with old consumer is deprecated and will be removed in a future
major release. Consider using the new consumer by passing [bootstrap-server] instead of [zookeeper].
[2019-04-05 14:10:18,930] WARN SASL configuration failed: javax.security.auth.login.LoginException:
No JAAS configuration section named 'Client' was found in specified JAAS configuration file:
'/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to
Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
[2019-04-05 14:10:19,095] WARN SASL configuration failed: javax.security.auth.login.LoginException:
No JAAS configuration section named 'Client' was found in specified JAAS configuration file:
'/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to
Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)

{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676
,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"11fb0141-9c45-4787-a9a4-ad725ed0318f","sig_id":"999158","sig_generator":"1"}
{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676
,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"5cd4082f-06aa-4c92-8c72-a5d9c775b5d4","sig_id":"999158","sig_generator":"1"}
{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676
,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"b0e60bcd-261a-41e6-924f-de8c903f4f57","sig_id":"999158","sig_generator":"1"}
{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676
,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"b29029b6-9b9d-4c5f-810c-2bd816126ffa","sig_id":"999158","sig_generator":"1"}
{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message