metron-bro-plugin-kafka icon indicating copy to clipboard operation
metron-bro-plugin-kafka copied to clipboard

Published 20 hours ago verified publisher icon apache

METRON-2357: Extends example 4 with a dynamic version

Open vikgmdev opened this issue 4 years ago • 8 comments

Contributor Comments

  • Extends the current Example 4 to include a dynamic version.

It will demonstrate how to automatically send each zeek log to a topic with the same name.

For instance the CONN::LOG log to be sent to the conn topic or Known::CERTS_LOG to the known-certs topic without defining a Log::Filter for each of those.

Pull Request Checklist

Thank you for submitting a contribution to Apache Metron's Bro kafka writer plugin.

In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:

For all changes:

  • [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
  • [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
  • [x] Has your PR been rebased against the latest commit within the target branch (typically master)?

For code changes:

  • [ ] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
  • [ ] Have you included steps or a guide to how the change may be verified and tested manually?
  • [ ] Have you ensured that the full suite of tests and checks have been executed via: 
    bro-pkg test $GITHUB_USERNAME/metron-bro-plugin-kafka --version $BRANCH
  • [ ] Have you written or updated unit tests and or integration tests to verify your changes?
  • [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • [ ] Have you verified the basic functionality of the build by building and running locally with Apache Metron's Vagrant full-dev environment or the equivalent?

vikgmdev avatar May 20 '20 20:05 vikgmdev

I have added Victor to the jira contributors role and assigned the jira to him

ottobackwards avatar May 21 '20 14:05 ottobackwards

Hi @vikgmdev any update on this? Thanks!

JonZeolla avatar Jun 12 '20 20:06 JonZeolla

Hi @vikgmdev thanks again for the contribution. Do you have an update? If not we will unfortunately need to mark this as abandoned

JonZeolla avatar Sep 23 '20 10:09 JonZeolla

Hi @JonZeolla hadn't the chance to push the updates. Let me retake the issue and I'll push the updates soon. Thanks a lot for your patience.

vikgmdev avatar Sep 23 '20 11:09 vikgmdev

Hey, @JonZeolla just noticed I had the changes since a few months ago but haven't pushed them before. We'll wait for you re-review. Thanks.

vikgmdev avatar Oct 01 '20 20:10 vikgmdev

Thanks @vikgmdev looking good. Have you tested with the end to end docker/ tests? I think after the initial spin-up you'll need to configure the environment using docker_execute_create_topic_in_kafka.sh (because the topics don't auto-create on publish yet), update the zeek scripts with what you have in the README, and then re-run to ensure it works.

JonZeolla avatar Oct 08 '20 12:10 JonZeolla

Hey, @JonZeolla I encountered two issues when running the end to end docker/ tests...

The link to download the nitroba.pcap is no longer available:

--2020-10-10 11:26:40--  http://downloads.digitalcorpora.org/corpora/network-packet-dumps/2008-nitroba/nitroba.pcap
Resolving downloads.digitalcorpora.org (downloads.digitalcorpora.org)... 129.174.125.204
Connecting to downloads.digitalcorpora.org (downloads.digitalcorpora.org)|129.174.125.204|:80... failed: Connection timed out.
Retrying.

I commented that line to unblock me and keep with the test.

But after that, the script is crashing and throwing this error:

...
===================================================
Configuring kafka plugin
configured the kafka plugin
MADE /home/vick/Documents/Anubis/metron-bro-plugin-kafka/docker/test_output/sáb_10_oct_2020_11_32_09_CDT/exercise-traffic_pcap
Running docker_execute_process_data_dir with 
CONTAINER_NAME = metron-bro-plugin-kafka_zeek_1
PCAP_FILE_NAME = exercise-traffic.pcap
OUTPUT_DIRECTORY_NAME = exercise-traffic_pcap
===================================================
executing process_data_file.sh in the zeek docker container
 
PCAP_FILE_NAME = exercise-traffic.pcap
OUTPUT_DIRECTORY_NAME = exercise-traffic_pcap
================================
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
1258563753.320650 fatal error: failed to read a packet from /root/data/example-traffic/exercise-traffic.pcap: truncated dump file; tried to read 1434 captured bytes, only got 415

so not sure if it's an actual bug on the test or if it's just a step I missed from my setup.

vikgmdev avatar Oct 10 '20 16:10 vikgmdev

Hi @vikgmdev yeah unfortunately those are known issues. If you manually download nitroba and put it in the pcap directory, and change the zeek version to 3.1.5 it should be able to get through the tests until we can figure out a workaround for the change which is causing the tests to exit due to pcap issues. Sorry for the hassle with this... We plan to make this a non-issue as a part of future work.

JonZeolla avatar Oct 22 '20 16:10 JonZeolla