Creating Global Configurations

« Prev

To configure a global configuration file, create a file called global.json at $METRON_HOME/config/zookeeper.
Using the following format, populate the file with enrichment values that you want to apply to all sensors:
```
{
  "es.clustername": "metron",
  "es.ip": "node1",
  "es.port": "9300",
  "es.date.format": "yyyy.MM.dd.HH",
  "fieldValidations" : [
              {
                "input" : [ "ip_src_addr", "ip_dst_addr" ],
                "validation" : "IP",
                "config" : {
                    "type" : "IPV4"
                           }
              }
                       ]
}
```
es.ip
A single or collection of elastic search master nodes.
They might be specified using the hostname:port syntax. If a port is not specified, then a separate global property es.port is required:
Example: es.ip : [ “10.0.0.1:1234”, “10.0.0.2:1234”]
Example: es.ip : “10.0.0.1” (thus requiring es.port to be specified as well)
Example: es.ip : “10.0.0.1:1234” (thus not requiring es.port to be specified)
es.port
The port of the elastic search master node.
This is not strictly required if the port is specified in the es.ip global property as described above. It is expected that this be an integer or a string representation of an integer.
Example: es.port : “1234"
Example: es.port : 1234
es.clustername
The elastic search cluster name to which you want to write.
Example: es.clustername : “metron” (providing your ES cluster is configured to have metron be a valid cluster name)
es.date.format
The format of the date that specifies how the information is parsed time-wise.
For example:
es.date.format : “yyyy.MM.dd.HH” (this would shard by hour creating, for example, a Bro shard of bro_2016.01.01.01, bro_2016.01.01.02, etc.)
es.date.format : “yyyy.MM.dd” (this would shard by day, creating, for example, a Bro shard of bro_2016.01.01, bro_2016.01.02, etc.)
fieldValidations
A validation framework that enables you to construct validation rules that cross all sensors.
The fieldValidations enrichment value use validation plugins or assertions about fields or whole messages
input
An array of input fields or a single field. If this is omitted, then the whole messages is passed to the validator.
config
A String to Object map for validation configuration. This is optional if the validation function requires no configuration.
validation
The validation function to be used. This is one of the following:
STELLAR
Execute a Stellar Language statement. Expects the query string in the condition field of the config.
IP
Validates that the input fields are an IP address. By default, if no configuration is set, it assumes IPV4, but you can specify the type by passing in type with either IPV6 or IPV4 or by passing in a list [IPV4,IPV6] in which case the input is validated against both.
DOMAIN
Validates that the fields are all domains.
EMAIL
Validates that the fields are all email addresses.
URL
Validates that the fields are all URLs.
DATE
Validates that the fields are a date. Expects format in the configuration.
INTEGER
Validates that the fields are an integer. String representation of an integer is allowed.
REGEX_MATCH
Validates that the fields match a regex. Expects pattern in the configuration.
NOT_EMPTY
Validates that the fields exist and are not empty (after trimming.)

​Creating Global Configurations