Install Solr
If you are using Apache Solr, install it using the Ambari HDP Search management pack.
-
From Ambari, stop the following:
- Metron
- Kibana
- Elasticsearch
-
Install the Ambari HDP Search Management pack.
For instructions on downloading and using the Ambari HDP Search management pack, see Apache Solr Search Installation.ImportantEnsure the Java threat stack size parameter is set to greater than 320kb. The default setting for
SOLR_JAVA_STACK_SIZE
is not sufficient to start the Solr service.Ambari automatically creates collections for the following:- bro
- snort
- yaf
- metaalert
- error
-
If you want to create a collection for a schema not supplied by HCP, perform the
following steps:
-
Set Solr environmental variables in ZooKeeper.
# Path to the zookeeper node used by Solr export ZOOKEEPER=node1:2181/solr # Define SOLR_HOME export SOLR_HOME=/opt/lucidworks-hdpsearch/solr/ # Set to true if Kerberos is enabled export SECURITY_ENABLED=true
-
Create a collection.
For example:
su $SOLR_USER -c "$SOLR_HOME/bin/solr create -c bro -d $METRON_HOME/config/schema/bro/"
-
Pull all configurations from ZooKeeper to the Metron
config
directory:$METRON_HOME/bin/zk_load_configs.sh -m PULL -z $ZOOKEEPER -o $METRON_HOME/config/zookeeper -f
-
Set Solr environmental variables in ZooKeeper.
-
Add
"source.type.field" : "source.type"
andthreat.triage.score.field" : "threat.triage.score"
to theglobal.json
file located at$METRON_HOME/config/zookeeper/global.json
:$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER -i $METRON_HOME/config/zookeeper
Theglobal.json
file should look similar to:{ "es.clustername" : "metron", "es.ip" : "blah:9300", "es.date.format" : "yyyy.MM.dd.HH", "parser.error.topic" : "indexing", "update.hbase.table" : "metron_update", "update.hbase.cf" : "t", "es.client.settings" : { "client.transport.ping_timeout" : "500s" }, "profiler.client.period.duration" : "15", "profiler.client.period.duration.units" : "MINUTES", "source.type.field" : "source.type", "threat.triage.score.field" : "threat:triage:score", "user.settings.hbase.table" : "user_settings", "user.settings.hbase.cf" : "cf", "geo.hdfs.file" : "/apps/metron/geo/default/GeoLite2-City.mmdb.gz" }
-
Push the configuration to ZooKeeper:
$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER -i $METRON_HOME/config/zookeeper
- Restart Metron.
- Start Solr.
- From Ambari, select Metron in the components panel.
- Click the Configs tab, then click the Indexing tab.
- Choose Solr in the Index Writer - Random Access pull down menu.
- Click Save.
- From Ambari, stop and restart the Metron Alerts user interface.
- From Ambari, stop and restart Metron REST.