Hortonworks Docs
»
Hortonworks Cybersecurity Platform 1.5.1
»
Hortonworks Cybersecurity Platform
Hortonworks Cybersecurity Platform
Also available as:
HCP Information Roadmap
HCP Architecture
Real-Time Processing Security Engine
Telemetry Data Collectors
Data Services and Integration Layer
HCP Terminology
Adding a New Telemetry Data Source
Telemetry Data Source Parsers Bundled with HCP
Snort
Bro
YAF (NetFlow)
Indexing
pcap
Prerequisites to Adding a New Telemetry Data Source
Streaming Data into HCP Overview
Stream Data Using NiFi
Understanding Parsing a New Data Source to HCP
Create a Parser for Your New Data Source by Using the Management Module
Transform Your New Data Source Parser Information by Using the Management Module
Tune Parser Storm Parameters by Using the Management Module
Create a Parser for Your New Data Source by Using the CLI
Verify That Events Are Indexed
Enriching Telemetry Events
Setting Up Enrichment Configurations
Sensor Configuration
Bulk Loading Sources
Configure an Extractor Configuration File
Configure Element-to-Enrichment Mapping
Run the Enrichment Loader
Map Fields to HBase Enrichments Using the Management Module
Map Fields to HBase Enrichments Using CLI
Stream Enrichment Information
Understanding Global Configuration
Create Global Configurations
Configuring Indexing
Understanding Indexing
Default Configuration
Specify Index Parameters by Using the Management Module
Specify Index Parameters by Using the CLI
Index HDFS Tuning
Turn Off HDFS Writer
Support for Elasticsearch 5.x
Elasticsearch Type Mapping Changes
Update Elasticsearch Templates to Work with Elasticsearch 5.x
Update Existing Indexes to Work with Elasticsearch 5x
Add X-Pack Extension to Elasticsearch
Troubleshooting Indexing
Configuring Threat Intelligence
Bulk Loading Threat Intelligence Sources
Configure an Extractor Configuration File
Configure Mapping for the Intelligence Feed
Run the Threat Intel Loader
Map Fields to HBase Threat Intel by Using the Management Module
Map Fields to HBase Threat Intel by Using the CLI
Create a Streaming Threat Intel Feed Source
Prioritizing Threat Intelligence
Understanding Threat Triage Rule Configuration
Perform Threat Triage Using the Management Module
Perform Threat Triage Using the CLI
View Triaged or Scored Alerts
Syncing With the Metron Dashboard
Create an Index Template
Configure the Metron Dashboard to View the New Data Source Telemetry Events
Setting up pcap to View Your Raw Data
Set up pycapa
Start pcap
Installing Fastcapa
Requirements for Installing Fastcapa
Install Fastcapa Automatically
Install Fastcapa Manually
Enable Transparent Huge Pages
Install DPDK
Install Librdkafka
Install Fastcapa
Using Fastcapa
Fastcapa Environmental Abstraction Layer Parameters
Fastcapa-Core Parameters
Fastcapa-Kafka Configuration File
Fastcapa Counters Output
Use Fastcapa in a Kerberized Environment
Troubleshooting Parsers
Storm is Not Receiving Data From a New Data Source
Determine Which Events Are Not Being Processed
Monitor and Manage
Understanding Throughput
Update Properties
Understanding ZooKeeper Configurations
Managing Sensors
Start a Sensor
Stop a Sensor
Modify a Sensor
Delete a Sensor
Monitoring Sensors
Display the Metron Error Dashboard
Metron Error Dashboard Information
Default Metron Error Dashboard Section Descriptions
Reload Metron Templates
Start and Stop Parsers
Start and Stop Enrichments
Start and Stop Indexing
Prune Data from Elasticsearch
Tune Apache Solr
Back Up the Metron Dashboard
Restore Your Metron Dashboard Backup
Concepts
Understanding the Profiler
Understanding Parsers
Java Parsers
General Purpose Parsers
Parser Configuration
Example: fieldTransformation Configuration
Enrichment Framework
Sensor Enrichment Configuration
Individual Sensor Enrichments
Stellar Enrichments
Threat Intelligence Enrichments
Using Stellar to Set up Threat Triage Configurations
Global Configuration
Use Stellar for Queries
Use Stellar to Transform Sensor Data Elements
Management Utility
Fastcapa
Troubleshooting Parsers
This section provides some troubleshooting solutions for parser issues.
Storm is Not Receiving Data From a New Data Source
If, after installing a new data source, Storm is not receiving data from the data source, there are several configurations you can check.
Determine Which Events Are Not Being Processed
Events that are not processed end up in a dead letter queue.
© 2012–2019, Hortonworks, Inc.
Document licensed under the
Creative Commons Attribution ShareAlike 4.0 License
.
Hortonworks.com
|
Documentation
|
Support
|
Community