Google Git
Sign in
apache / metron / 410993daf60dfe898a973fa8a9906ddbffd83208 / . / current-book / Upgrading.html
blob: eedcbda61be1ea56aa1e4994b4539710eaf132fb [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.8 from src/site/markdown/Upgrading.md at 2019-05-14
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20190514" />
<meta http-equiv="Content-Language" content="en" />
<title>Metron &#x2013; Upgrading</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.7.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.7.min.js"></script>
<script type="text/javascript">
$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );
</script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<div id="banner">
<div class="pull-left"><a href="http://metron.apache.org/" id="bannerLeft"><img src="images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/></a></div>
<div class="pull-right"></div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class=""><a href="http://www.apache.org" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li>
<li class=""><a href="http://metron.apache.org/" class="externalLink" title="Metron">Metron</a><span class="divider">/</span></li>
<li class=""><a href="index.html" title="Documentation">Documentation</a><span class="divider">/</span></li>
<li class="active ">Upgrading</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2019-05-14</li>
<li id="projectVersion" class="pull-right">Version: 0.7.1</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">User Documentation</li>
<li><a href="index.html" title="Metron"><span class="icon-chevron-down"></span>Metron</a>
<ul class="nav nav-list">
<li><a href="CONTRIBUTING.html" title="CONTRIBUTING"><span class="none"></span>CONTRIBUTING</a></li>
<li class="active"><a href="#"><span class="none"></span>Upgrading</a></li>
<li><a href="metron-analytics/index.html" title="Analytics"><span class="icon-chevron-right"></span>Analytics</a></li>
<li><a href="metron-contrib/metron-docker/index.html" title="Docker"><span class="none"></span>Docker</a></li>
<li><a href="metron-contrib/metron-performance/index.html" title="Performance"><span class="none"></span>Performance</a></li>
<li><a href="metron-deployment/index.html" title="Deployment"><span class="icon-chevron-right"></span>Deployment</a></li>
<li><a href="metron-interface/index.html" title="Interface"><span class="icon-chevron-right"></span>Interface</a></li>
<li><a href="metron-platform/index.html" title="Platform"><span class="icon-chevron-right"></span>Platform</a></li>
<li><a href="metron-sensors/index.html" title="Sensors"><span class="icon-chevron-right"></span>Sensors</a></li>
<li><a href="metron-stellar/stellar-3rd-party-example/index.html" title="Stellar-3rd-party-example"><span class="none"></span>Stellar-3rd-party-example</a></li>
<li><a href="metron-stellar/stellar-common/index.html" title="Stellar-common"><span class="icon-chevron-right"></span>Stellar-common</a></li>
<li><a href="metron-stellar/stellar-zeppelin/index.html" title="Stellar-zeppelin"><span class="none"></span>Stellar-zeppelin</a></li>
<li><a href="use-cases/index.html" title="Use-cases"><span class="icon-chevron-right"></span>Use-cases</a></li>
</ul>
</li>
</ul>
<hr />
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<h1>Upgrading</h1>
<p><a name="Upgrading"></a></p>
<p>This document constitutes a per-version listing of changes of configuration which are non-backwards compatible.</p>
<div class="section">
<h2><a name="a0.7.0_to_0.7.1"></a>0.7.0 to 0.7.1</h2>
<div class="section">
<h3><a name="METRON-2100:_Update_developer_documentation_for_full_dev_management_UI_parser_aggregation_feature_gap"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-2100">METRON-2100: Update developer documentation for full dev management UI parser aggregation feature gap</a></h3>
<p>The original full_dev environment change was actually introduced in Metron 0.7.0. This Jira addresses missing user documentation for the Management UI feature gap for parser aggregation. See <a href="metron-deployment/index.html#Parser_Aggregation_Feature">Parser Aggregation Feature</a> for more details on how to work with and configure parsers with this feature change enabled in full_dev.</p></div>
<div class="section">
<h3><a name="METRON-2053:_Refactor_metron-enrichment_to_decouple_Storm_dependencies"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-2053">METRON-2053: Refactor metron-enrichment to decouple Storm dependencies</a></h3>
<p><tt>org.apache.metron.enrichment.writer.SimpleHbaseEnrichmentWriter</tt> has had its packaged changed to <tt>org.apache.metron.writer.hbase.SimpleHbaseEnrichmentWriter</tt>. It has also been moved from the <tt>metron-platform/metron-enrichment</tt> module to a more appropriate home in <tt>metron-platform/metron-writer</tt>.</p></div>
<div class="section">
<h3><a name="METRON-1929:_Build_GET_ASN_Stellar_function"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-1929">METRON-1929: Build GET_ASN Stellar function</a></h3>
<p>The script for <tt>geo_enrichment_load.sh</tt> has been renamed, and now is <tt>maxmind_enrichment_load.sh</tt>. A couple changes should happen for users who are upgrading.</p>
<ul>
<li>The MaxMind GeoLite2 ASN database should be loaded onto HDFS at /apps/metron/asn/default/GeoLite2-ASN.tar.gz OR the global configuration property <tt>asn.hdfs.file</tt> can be set to point to a custom HDFS location.</li>
<li>Any custom scripts or tasks that use this script should be updated. In addition, this updated script also retrieves the GeoLite2 ASN database. The <tt>-ra</tt> flag can be used to provide a custom location for this database if offline install is needed. Otherwise, it will retrieve the latest from MaxMind.</li>
</ul></div></div>
<div class="section">
<h2><a name="a0.6.0_to_0.7.0"></a>0.6.0 to 0.7.0</h2>
<div class="section">
<h3><a name="METRON-1834:_Migrate_Elasticsearch_from_TransportClient_to_new_Java_REST_API"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-1834">METRON-1834: Migrate Elasticsearch from TransportClient to new Java REST API</a></h3>
<p>The Elasticsearch Java client has now been migrated from TransportClient to the new Java REST client. The motivation for this change is that TransportClient will be deprecated in Elasticsearch 7.0 and removed entirely in 8.0. See <a class="externalLink" href="https://www.elastic.co/guide/en/elasticsearch/client/java-api/5.6/client.html">ES Java API </a> for more details. The primary client-facing change for upgrades will be the new properties for configuring the new client. An explanation of the new properties as well as a mapping from the old properties to the new can be found in <a href="metron-platform/metron-elasticsearch/index.html#Properties">metron-elasticsearch</a> under <tt>es.client.settings</tt>.</p></div>
<div class="section">
<h3><a name="METRON-1855:_Make_unified_enrichment_topology_the_default_and_deprecate_split-join"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-1855">METRON-1855: Make unified enrichment topology the default and deprecate split-join</a></h3>
<p>The unified enrichment topology will be the new default in this release, and the split-join enrichment topology is now considered deprecated. If you wish to keep the deprecated split-join enrichment topology, you will need to make the following changes:</p>
<ul>
<li>In Ambari &gt; Metron &gt; Config &gt; Enrichment set the enrichment_topology setting to &#x201c;Split-Join&#x201d;</li>
<li>If running <tt>start_enrichment_topology.sh</tt> manually, pass in the parameters to start the Split-Join topology as follows
<div>
<div>
<pre class="source">$METRON_HOME/bin/start_enrichment_topology.sh --remote $METRON_HOME/flux/enrichment/remote-splitjoin.yaml --filter $METRON_HOME/config/enrichment-splitjoin.properties
</pre></div></div>
</li>
<li>
<p>Restart the enrichment topology</p>
</li>
</ul></div></div>
<div class="section">
<h2><a name="a0.4.2_to_0.5.0"></a>0.4.2 to 0.5.0</h2>
<div class="section">
<h3><a name="METRON-941:_native_PaloAlto_parser_corrupts_message_when_having_a_comma_in_the_payload"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-941">METRON-941: native PaloAlto parser corrupts message when having a comma in the payload</a></h3>
<p>While modifying the PaloAlto log parser to support logs from newer PAN-OS version and to not break when a message payload contains a comma, some field names were changed to extend the coverage, fix some duplicate names and change some field names to the Metron standard message format.</p>
<p>Installations making use of this parser should check, if the resulting messages still meet their expectations and adjust downstream configurations (i.e. ElasticSearch template) accordingly.</p>
<p><i>Note:</i> Previously, the samples for the test contained a full syslog line (including syslog header). This did - and will continue to - create a broken &#x201c;domain&#x201d; field in the parsed message. It is recommended to only feed the syslog message part to the parser for now.</p></div></div>
<div class="section">
<h2><a name="a0.4.1_to_0.4.2"></a>0.4.1 to 0.4.2</h2>
<div class="section">
<h3><a name="METRON-1277:_STELLAR_Add_Match_functionality_to_language"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-1277">METRON-1277: STELLAR Add Match functionality to language</a></h3>
<p>As we continue to evolve the Stellar language, it is possible that new keywords will be added to the language. This may cause compatablity issues where these reserved words and symbols are used in existing scripts.</p>
<p>Adding <tt>match</tt> to the Stellar lanaguage has introduced the following new reserved keywords and symbols:</p>
<p><tt>match</tt>, <tt>default</tt>, <tt>{</tt>, <tt>}</tt>, &#x2018;=&gt;&#x2019;</p>
<p>Any stellar expressions which use these keywords not in quotes will need to be modified.</p></div>
<div class="section">
<h3><a name="METRON-1158:_Build_backend_for_grouping_alerts_into_meta_alerts"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-1158">METRON-1158: Build backend for grouping alerts into meta alerts</a></h3>
<p>In order to allow for meta alerts to be queries alongside regular alerts in Elasticsearch 2.x, it is necessary to add an additional field to the templates and mapping for existing sensors.</p>
<p>Two steps must be done for each sensor, but not on each index for each sensor.</p>
<p>First is to update the Elasticsearch template for each sensor, so any new indices have the field:</p>
<div>
<div>
<pre class="source">export ELASTICSEARCH=&quot;node1&quot;
export SENSOR=&quot;bro&quot;
curl -XGET &quot;http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index*?pretty=true&quot; -o &quot;${SENSOR}.template&quot;
sed -i '2d;$d' ./${SENSOR}.template
sed -i '/&quot;properties&quot; : {/ a\
&quot;alert&quot;: { &quot;type&quot;: &quot;nested&quot;},' ${SENSOR}.template
curl -XPUT &quot;http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index&quot; -d @${SENSOR}.template
</pre></div></div>
<p>To update existing indexes, update Elasticsearch mappings with the new field for each sensor. Make sure to set the ELASTICSEARCH variable appropriately.</p>
<div>
<div>
<pre class="source">curl -XPUT &quot;http://${ELASTICSEARCH}:9200/${SENSOR}_index*/_mapping/${SENSOR}_doc&quot; -d '
{
&quot;properties&quot; : {
&quot;alert&quot; : {
&quot;type&quot; : &quot;nested&quot;
}
}
}
'
rm ${SENSOR}.template
</pre></div></div>
<p>For a more detailed description, please see metron-platform/metron-elasticsearch/README.md</p></div>
<div class="section">
<h3><a name="Description"></a>Description</h3>
<p>In the 0.4.2 release,</p></div></div>
<div class="section">
<h2><a name="a0.3.1_to_0.4.0"></a>0.3.1 to 0.4.0</h2>
<div class="section">
<h3><a name="METRON-671:_Refactor_existing_Ansible_deployment_to_use_Ambari_MPack"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-671">METRON-671: Refactor existing Ansible deployment to use Ambari MPack</a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p>Since the Ansible Deployment uses the MPack, RPMs must be built prior to deployment. As a result, <a class="externalLink" href="https://www.docker.com/">Docker</a> is required to perform a Quick-Dev, Full-Dev or Ansible deployment. This effectively limits the build environment to Docker supported <a class="externalLink" href="https://docs.docker.com/engine/installation/#platform-support-matrix">platforms</a>.</p></div></div></div>
<div class="section">
<h2><a name="a0.3.0_to_0.3.1"></a>0.3.0 to 0.3.1</h2>
<div class="section">
<h3><a name="METRON-664:_Make_the_index_configuration_per-writer_with_enabled.2Fdisabled"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-664">METRON-664: Make the index configuration per-writer with enabled/disabled</a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p>As of 0.3.0 the indexing configuration</p>
<ul>
<li>Is held in the enrichment configuration for a sensor</li>
<li>Has properties which control every writers (i.e. HDFS, solr or elasticsearch).</li>
</ul>
<p>In the 0.3.1 release, this configuration has been broken out and control for individual writers are separated.</p>
<p>Please see the description of the configurations in the indexing <a class="externalLink" href="https://github.com/apache/metron/tree/Metron_0.3.1/metron-platform/metron-indexing#sensor-indexing-configuration">README</a></p></div>
<div class="section">
<h4><a name="Migration"></a>Migration</h4>
<p>Migrate the configurations from each sensor enrichment configuration and create appropriate configurations for indexing.</p>
<p>For instance, if a sensor enrichment config for sensor <tt>foo</tt> is in <tt>$METRON_HOME/config/zookeeper/enrichments/foo.json</tt> and looks like</p>
<div>
<div>
<pre class="source">{
&quot;index&quot; : &quot;foo&quot;,
&quot;batchSize&quot; : 100
}
</pre></div></div>
<p>You would create a file to configure each writer for sensor <tt>foo</tt> called <tt>$METRON_HOME/config/zookeeper/indexing/foo.json</tt> with the contents</p>
<div>
<div>
<pre class="source">{
&quot;elasticsearch&quot; : {
&quot;index&quot; : &quot;foo&quot;,
&quot;batchSize&quot; : 100,
&quot;enabled&quot; : true
},
&quot;hdfs&quot; : {
&quot;index&quot; : &quot;foo&quot;,
&quot;batchSize&quot; : 100,
&quot;enabled&quot; : true
}
}
</pre></div></div>
</div></div>
<div class="section">
<h3><a name="METRON-675:_Make_Threat_Triage_rules_able_to_be_assigned_names_and_comments"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-675">METRON-675: Make Threat Triage rules able to be assigned names and comments</a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p>As of 0.3.0, threat triage rules were defined as a simple Map associating a Stellar expression with a score. As of 0.3.1, due to the fact that there may be many threat triage rules, we have made the rules more complex. To help organize these, we have made the threat triage objects in their own right that contain optional name and optional comment fields.</p>
<p>This essentially makes the risk level rules slightly more complex. The format goes from:</p>
<div>
<div>
<pre class="source">&quot;riskLevelRules&quot; : {
&quot;stellar expression&quot; : numeric score
}
</pre></div></div>
<p>to:</p>
<div>
<div>
<pre class="source">&quot;riskLevelRules&quot; : [
{
&quot;name&quot; : &quot;optional name&quot;,
&quot;comment&quot; : &quot;optional comment&quot;,
&quot;rule&quot; : &quot;stellar expression&quot;,
&quot;score&quot; : numeric score
}
]
</pre></div></div>
</div>
<div class="section">
<h4><a name="Migration"></a>Migration</h4>
<p>For every sensor enrichment configuration, you will need to migrate the <tt>riskLevelRules</tt> section to move from a map to a list of risk level rule objects.</p></div></div>
<div class="section">
<h3><a name="METRON-283:_Migrate_Geo_Enrichment_outside_of_MySQL"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-283">METRON-283: Migrate Geo Enrichment outside of MySQL</a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p>As of 0.3.0, a MySQL database was used for storage and retrieval of GeoIP information during enrichment. As of 0.3.1, the MySQL database is removed in favor of using MaxMind&#x2019;s binary GeoIP files and stored on HDFS</p>
<p>After initial setup, this change is transparent and existing enrichment definitions will run as-is.</p></div>
<div class="section">
<h4><a name="Migration"></a>Migration</h4>
<p>While new installs will not require any additional steps, in an existing install a script must be run to retrieve and load the initial data.</p>
<p>The shell script <tt>geo_enrichment_load.sh</tt> will retrieve MaxMind GeoLite2 data and load data into HDFS, and update the configuration to point to this data. In most cases the following usage will grab the data appropriately:</p>
<div>
<div>
<pre class="source">$METRON_HOME/bin/geo_enrichment_load.sh -z &lt;zk_server&gt;:&lt;zk_port&gt;
</pre></div></div>
<p>Additional options, including changing the source file location (which can be a <a class="externalLink" href="file://">file://</a> location if the GeoIP data is already downloaded), are available with the -h flag and are also detailed in the metron-data-management README.me file.</p>
<p>One caveat is that this script will NOT update on disk config files. It is recommended to retrieve the configuration using</p>
<div>
<div>
<pre class="source">$METRON_HOME/bin/zk_load_configs.sh -z &lt;zk_server&gt;:&lt;zk_port&gt; -m DUMP
</pre></div></div>
<p>The new config will be <tt>geo.hdfs.file</tt> in the global section of the configuration. Append this key-value into the global.json in the config directory. A PUSH is unnecessary</p></div></div>
<div class="section">
<h3><a name="METRON-684:_Decouple_Timestamp_calculation_from_PROFILE_GET"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-684">METRON-684: Decouple Timestamp calculation from PROFILE_GET</a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p>During 0.3.1 we decoupled specifying durations for calls to the profiler into a separate function. The consequence is that existing calls to <tt>PROFILE_GET</tt> will need to migrate.</p></div>
<div class="section">
<h4><a name="Migration"></a>Migration</h4>
<p>Existing calls to <tt>PROFILE_GET</tt> will need to change from <tt>PROFILE_GET('profile', 'entity', duration, 'durationUnits')</tt> to <tt>PROFILE_GET('profile', 'entity', PROFILE_FIXED(duration, 'durationUnits'))</tt></p></div></div></div>
<div class="section">
<h2><a name="a0.2.0BETA_to_0.3.0"></a>0.2.0BETA to 0.3.0</h2>
<div class="section">
<h3><a name="METRON-447:_Monit_fails_to_reload_when_upgrading_from_0.2.0BETA_to_master"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-447">METRON-447: Monit fails to reload when upgrading from 0.2.0BETA to master</a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p><tt>/etc/monit.d/enrichment-elasticsearch.monit</tt> was renamed to <tt>/etc/monit.d/indexing-elasticsearch.monit</tt>, however the old file isn&#x2019;t removed via ansible, which causes the below error during an upgrade: <tt>Starting monit: /etc/monit.d/enrichment-elasticsearch.monit:18: Service name conflict, enrichment already defined '/usr/local/monit/status_enrichment_topology.sh'</tt></p></div></div>
<div class="section">
<h3><a name="METRON-448:Upgrading_via_Ansible_deployment_does_not_add_topology.classpath"></a><a class="externalLink" href="https://issues.apache.org/jira/browse/METRON-448">METRON-448:Upgrading via Ansible deployment does not add topology.classpath </a></h3>
<div class="section">
<h4><a name="Description"></a>Description</h4>
<p>When using Ansible to deploy the latest Metron bits to an existing installation, storm-site is not being updated with the new 0.2.1BETA parameter <tt>topology.classpath</tt>. Topologies are unable to find the client configs as a result.</p></div>
<div class="section">
<h4><a name="Workaround"></a>Workaround</h4>
<p>Set the <tt>topology.classpath</tt> property for storm in Ambari to <tt>/etc/hbase/conf:/etc/hadoop/conf</tt></p></div></div></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
© 2015-2016 The Apache Software Foundation. Apache Metron, Metron, Apache, the Apache feather logo,
and the Apache Metron project logo are trademarks of The Apache Software Foundation.
</div>
</div>
</footer>
</body>
</html>