Uploaded image for project: 'Metron (Retired)'
  1. Metron (Retired)
  2. METRON-2065

Setting Parser Output Topic in Sensor Config is broken

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Done
    • None
    • 0.7.1
    • None

    Description

      Login to management console 

      Edit the parser config Advanced > Raw JSON

      Change the output topic for the 'snort' sensor.

      Verify that the changes taken effect using stellar shell 

      [Stellar]>>> conf := CONFIG_GET("PARSER","snort") { "parserClassName" : "org.apache.metron.parsers.snort.BasicSnortParser", "sensorTopic" : "snort", "outputTopic" : "new-topic", "readMetadata" : false, "mergeMetadata" : false, "spoutParallelism" : 1, "spoutNumTasks" : 1, "parserParallelism" : 1, "parserNumTasks" : 1, "errorWriterParallelism" : 1, "errorWriterNumTasks" : 1, "spoutConfig" : { }, "stormConfig" : { }, "parserConfig" : { }, "fieldTransformations" : [ ], "cacheConfig" : { }, "rawMessageStrategy" : "DEFAULT", "rawMessageStrategyConfig" : { } }

      publish the message to 'snort' topic

      I use the console consumer to validate output is being piped into "new_topic" and verified that no messages were sent to the topic 

      [metron@nat-r7-udos-metron-1 bin]$ ./kafka-console-consumer.sh --zookeeper $ZOOKEEPER --security-protocol PLAINTEXTSASL --topic new-topic 
Using the ConsoleConsumer with old consumer is deprecated and will be removed in a future major release. Consider using the new consumer by passing [bootstrap-server] instead of [zookeeper]. [2019-04-05 14:08:08,796] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn) [2019-04-05 14:08:09,005] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)

      where as I see that the messages were sent to "enrichments" topic

      [metron@nat-r7-udos-metron-1 bin]$ ./kafka-console-consumer.sh --zookeeper $ZOOKEEPER --security-protocol PLAINTEXTSASL --topic enrichments
Using the ConsoleConsumer with old consumer is deprecated and will be removed in a future major release. Consider using the new consumer by passing [bootstrap-server] instead of [zookeeper].
[2019-04-05 14:10:18,930] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
[2019-04-05 14:10:19,095] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)

{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"11fb0141-9c45-4787-a9a4-ad725ed0318f","sig_id":"999158","sig_generator":"1"}
{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"5cd4082f-06aa-4c92-8c72-a5d9c775b5d4","sig_id":"999158","sig_generator":"1"}
{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"b0e60bcd-261a-41e6-924f-de8c903f4f57","sig_id":"999158","sig_generator":"1"}
{"msg":"snort test alert","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0xF017C4DA","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xF6C9","icmpseq":"","tcpack":"0xABDB8426","protocol":"TCP","ip_dst_addr":"62.75.195.236","original_string":"09\/09\/16-09:09:09.844676 ,1,999158,0,\"snort test alert\",TCP,192.168.138.160,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,","icmpcode":"","tos":"0","id":"2319","ip_src_addr":"192.168.138.160","timestamp":1473412149844,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","source.type":"snort","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49188","tcpflags":"***A****","guid":"b29029b6-9b9d-4c5f-810c-2bd816126ffa","sig_id":"999158","sig_generator":"1"}

      Attachments

        1. Screen Shot 2019-04-05 at 7.45.36 PM.png
          276 kB
          Mohan Venkateshaiah

        Issue Links

          links to

          Web Link GitHub Pull Request #1377

          Activity

            People

              rmerriman Ryan Merriman
              mohandv Mohan Venkateshaiah
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m