Parse the Squid Data Source to HCP
Parsers transform raw data (textual or raw bytes) into JSON messages suitable for downstream enrichment and indexing by HCP. There is one parser for each data source and the information is piped to the Enrichment/Threat Intelligence topology.
The following sections guide you through how to add the Squid telemetry to HCP. The following procedures use the Management module UI whenever possible. If you would like to see these steps performed using the CLI, see the Hortonworks Cybersecurity Package Administration Guide.
Task | Description |
---|---|
This section uses the Management module to create a parser for the new data source. | |
Verify that the Events are Indexed |
After you finish parsing your new data source, you should verify that the data source events are indexed and the output matches any Stellar transformation functions you used. |
Create an Index Template |
To work with a new data source data in the Metron dashboard, you need to ensure that the data is landing in the search index (Elasticsearch) with the correct data types. You can achieve this by defining an index template. |