We now need to configure what element of a tuple should be enriched with what
enrichment type. This configuration is stored in ZooKeeper.
- Log in as root user to the host that has Metron installed.
- Copy and paste the following into a file called
enrichment_config_temp.json
at $METRON_HOME/config.
{
"zkQuorum" : "$ZOOKEEPER_HOST:2181"
,"sensorToFieldList" : {
"squid" : {
"type" : "THREAT_INTEL"
,"fieldToEnrichmentTypes" : {
"domain_without_subdomains" : [ "whois" ]
}
}
}
}
- Remove any non-ASCII invisible characters that might have been included if you copy and
pasted:
iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json