Global Configuration

Global configurations are applied to all data sources as opposed to other configurations that are applied to a specific sensor. In other words, every message from every sensor is validated against global configuration rules.

To configure a global configuration file, create a file called global.json at $METRON_HOME/config/zookeeper.
Populate the file with enrichment configurations you want to apply to all sensors.
The file should have the following format:
```
{
  "es.clustername": "metron",
  "es.ip": "node1",
  "es.port": "9300",
  "es.date.format": "yyyy.MM.dd.HH",
  "fieldValidations" : [
              {
                "input" : [ "ip_src_addr", "ip_dst_addr" ],
                "validation" : "IP",
                "config" : {
                    "type" : "IPV4"
                           }
              } 
                       ]
}
```
where
es.ip
A single or collection of elastic search master nodes.
They may be specified via the widely accepted hostname:port syntax. If a port is not specified, then a separate global property es.port is required:
Example: es.ip : [ “10.0.0.1:1234”, “10.0.0.2:1234”]
Example: es.ip : “10.0.0.1” (thus requiring es.port to be specified as well)
Example: es.ip : “10.0.0.1:1234” (thus not requiring es.port to be specified)
es.port
The port of the elastic search master node.
This is not strictly required if the port is specified in the es.ip global property as described above. It is expected that this be an integer or a string representation of an integer.
Example: es.port : “1234"
Example: es.port : 1234
es.clustername
The elastic search cluster name to which you want to write.
Example: es.clustername : “metron” (providing your ES cluster is configured to have metron be a valid cluster name)
es.date.format
We shard the indices first by sensor and then by date.
This provides the granularity time-wise that we shard.
Example: es.date.format : “yyyy.MM.dd.HH” (this would shard by hour creating, for example, a Bro shard of bro_2016.01.01.01, bro_2016.01.01.02, etc.)
Example: es.date.format : “yyyy.MM.dd” (this would shard by day, creating, for example, a Bro shard of bro_2016.01.01, bro_2016.01.02, etc.)
fieldValidations
A validation framework that enables you to construct validation rules that cross all sensors.
This is done in the form of validation plugins where assertions about fields or whole messages can be made.
input
An array of input fields or a single field. If this is omitted, then the whole messages is passed to the validator.
config
A String to Object map for validation configuration. This is optional if the validation function requires no configuration.
validation
The validation function to be used. This is one of the following:
STELLAR
Execute a Stellar Language statement. Expects the query string in the condition field of the config.
IP
Validates that the input fields are an IP address. By default, if no configuration is set, it assumes IPV4, but you can specify the type by passing in type with either IPV6 or IPV4 or by passing in a list [IPV4,IPV6] in which case the input(s) will be validated against both.
DOMAIN
Validates that the fields are all domains.
EMAIL
Validates that the fields are all email addresses.
URL
Validates that the fields are all URLs.
DATE
Validates that the fields are a date. Expects format in the config.
INTEGER
Validates that the fields are an integer. String representation of an integer is allowed.
REGEX_MATCH
Validates that the fields match a regex. Expects pattern in the config.
NOT_EMPTY
Validates that the fields exist and are not empty (after trimming.)

You can also create a validation using Stellar. The following validation uses Stellar to validate the same thing as the previous example:

"fieldValidations" : [
              {
                "validation" : "STELLAR",
                "config" : {
                    "condition" : "IS_IP(ip_src_addr, 'IPV4')"
                           }
              } 
                       ]

​Global Configuration

Global Configuration