Hortonworks Cybersecurity Platform

Similar documents
Hortonworks Cybersecurity Platform

Hortonworks Cybersecurity Platform

Hortonworks Cybersecurity Platform

Adding a New Telemetry Source

Ambari Managed HDF Upgrade

Hortonworks Cybersecurity Platform

Hortonworks Cybersecurity Platform

Installing SmartSense on HDP

Installing an HDF cluster

Hortonworks Cybersecurity Platform

Data Analytics Studio Installation

Installing HDF Services on an Existing HDP Cluster

Hortonworks Data Platform

Hortonworks Cybersecurity Platform

Hortonworks Cybersecurity Package

Hortonworks SmartSense

The Elasticsearch-Kibana plugin for Fuel Documentation

Upgrade Instructions. NetBrain Integrated Edition 7.0

Hortonworks DataFlow

Database Backup Restore

Hortonworks DataFlow

Cisco Stealthwatch Cloud. Private Network Monitoring Advanced Configuration Guide

Hortonworks Technical Preview for Stinger Phase 3 Released: 12/17/2013

NetBackup Deployment Template User Guide for Chef

Hortonworks Data Platform

Purpose. Target Audience. Install SNMP On The Remote Linux Machine. Nagios XI. Monitoring Linux Using SNMP

Hortonworks DataFlow

Hortonworks DataFlow

Hortonworks Cybersecurity Platform

Hortonworks Cybersecurity Platform

Incident Response Platform Integrations BigFix Function V1.1.0 Release Date: October 2018

Hortonworks DataFlow

Hortonworks SmartSense

Getting Started with. Agents for Unix and Linux. Version

Hortonworks Technical Preview for Apache Falcon

percona-agent Documentation

Upgrading Big Data Management to Version Update 2 for Hortonworks HDP

Understanding Parsers

This document provides instructions for upgrading a DC/OS cluster.

Installing Apache Zeppelin

Important Notice Cloudera, Inc. All rights reserved.

DriveScale Administration Guide version 1.3

Zend Server Community Edition 5.1. Installation Guide. By Zend Technologies.

Upgrade Guide. This document details the upgrade process for customers moving from the full version of OnApp Cloud v2.3.1 to v2.3.2.

EveBox Documentation. Jason Ish

Image Management Service. User Guide. Issue 03. Date

Cisco Smart PHY v1.0 User Guide

HPE IMC DBA User Database to IMC User Database Restoration Configuration Examples

Enriching Telemetry Events

OnCommand Unified Manager 7.2 Installation and Setup Guide

Backup and Restore System

Hortonworks Cybersecurity Platform

Cibecs Express Upgrade Guide to V5.0

EveBox Documentation. Release. Jason Ish

Scrutinizer Virtual Appliance Deployment Guide Page i. Scrutinizer Virtual Appliance Deployment Guide. plixer

MongoDB Management Suite Manual Release 1.4

Hortonworks DataFlow

Zend Server Cluster Manager 5.5 Beta. Installation Guide. By Zend Technologies.

System Software Updates

Lab Exercises: Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools

Image Management Service. User Guide. Issue 08. Date

Linux Kung Fu. Ross Ventresca UBNetDef, Fall 2017

Polarion 18 Enterprise Setup

Red Hat Virtualization 4.2

Managing MySQL Version Upgrades. Operating Systems. About the Author OTN TOUR years with MySQL / 26 years with RDBMS

Zend Server Cluster Manager 5.x Installation Guide

H3C License Server. Installation Guide. Hangzhou H3C Technologies Co., Ltd. Document version: 5W

Installation 1. DLM Installation. Date of Publish:

Using Fluentd as an alternative to Splunk

LiveNX Upgrade Guide from v5.2.0 to v5.2.1

Overview 1 Preparing for installation 2

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Percona Monitoring and Management Documentation

Polarion Enterprise Setup 17.2

Zend Server Cluster Manager 5.6 Installation Guide

iosphere Software Installation Guide for Version 3.7.0

Red Hat Mobile Application Platform 4.2 Operations Guide

Hortonworks Data Platform

MITEL PERFORMANCE ANALYTICS

Manual Install Package Rpm Linux Command Line

StreamSets Control Hub Installation Guide

IBM Tivoli Storage Manager for AIX Version Installation Guide IBM

Migrate Cisco Prime Collaboration Assurance

DBSPI Configuration Manual:

Orchid Fusion VMS Installation Guide

VMware AirWatch Content Gateway Guide for Linux For Linux

Copyright 2012 Trend Micro Incorporated. All rights reserved. Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.

Polarion 18.2 Enterprise Setup

Installing Cisco CMX in a VMware Virtual Machine

McAfee Data Loss Prevention Prevent 11.1.x Release Notes

Netcool Agile Service Manager Version Installation, Administration and User Guide. 27 April 2018 IBM

Upgrade Instructions. NetBrain Integrated Edition 7.1. Two-Server Deployment

Geneious Floating License Manager Version Biomatters Ltd

SPLUNK ENTERPRISE AND ECS TECHNICAL SOLUTION GUIDE

OnCommand Unified Manager 9.4 Installation and Setup Guide

Table of Contents. Table of Contents License server installation guide - Linux. Download SCL

$ wget V SOLUTIONS.tar.bz2 \ --user=lftraining --password=penguin2014

Dell Protected Workspace Management

Installation 1. Installing DPS. Date of Publish:

This document is intended for use by Nagios XI Administrators who need a boost in I/O performance.

Transcription:

1 Hortonworks Cybersecurity Platform Date of Publish: 2018-07-30 http://docs.hortonworks.com

Contents Preparing to Upgrade...3 Back up Your Configuration...3 Stop All Metron Services...3 Upgrade Metron...4 Mandatory Post-Upgrade Tasks... 7 Upgrading Your Configuration... 7 Changes to STELLAR Language...7 Upgrading to Elasticsearch 5.6.2... 8 Type Mapping Changes...8 Troubleshooting...10 Checking the Status of the Parsers... 10

Preparing to Upgrade Preparing to Upgrade Hortonworks Cybersecurity Platform (HCP) upgrades are not officially supported. However you can use the guidelines provided in the Upgrade Guide if you want to attempt an upgrade. Prior to upgrading Hortonworks Cybersecurity Platform (HCP), you must back up your configuration and stop all Metron services. Back up Your Configuration The Hortonworks Cybersecurity Platform (HCP) upgrade uses the default configuration for the new Metron version. If you made any changes to the Metron configuration in the previous version, you must back up your old configuration so you can incorporate those changes into the new Metron configuration. You will also need to re-enter values for the Metron properties in Ambari. Procedure 1. Create a backup directory. mkdir /$HCP_BACKUP_DIRECTORY 2. Back up your configuration information in ZooKeeper to your backup directory: ${METRON_HOME/bin/zk_load_configs.sh -m DUMP -z $ZOOKEEPER > /$HCP_BACKUP_DIRECTORY/$BACKUP_CONFIG.txt 3. Back up the following property files in the $METRON_HOME/config directory to your backup directory: elasticsearch.properties enrichment.properties pcap.properties For example: cp elasticsearch.properties /$HCP_BACKUP/elasticsearch.properties 4. Copy the zookeeper directory to your backup directory: cp -R zookeeper/ /$HCP_BACKUP/zookeeper 5. Back up your Metron configuration. The easiest way to do this is to take a screenshot of each of the Metron configuration pages that you modifed in Ambari. At a minimum, take a screen shot of the following configuration pages: Index Settings Parsers REST Stop All Metron Services You need to stop all Metron services prior to uninstalling Metron. Procedure 1. Stop all Metron services in Ambari. Stop each Metron service in the following order: 3

Upgrade Metron Metron Alerts UI Metron Management UI Metron REST 2. Stop Storm: a) From the Storm node, list all of the Storm topologies that are currently running: storm list b) Kill each of the running Storm topologies in the following order: all parsers such as bro and snort enrichment indexing profiler storm kill bro c) Return to the Storm UI and verifiy that all topologies are killed. d) In Ambari, stop Storm by selecting Storm and clicking Stop All in the Actions menu. 3. Ensure that the UIs are shut down. If the Metron Alerts Ui or Metron Management UI status in Ambari is "running," shut down the UIs by entering the following from $METRON_HOME/var/log/metron/metron: service metron-alerts-ui status service metron-alerts-ui stop service metron-management-ui status service metron-management-ui stop Upgrade Metron After you shut down Metron and all of its services, you must uninstall Metron and then reinstall the newest version of Metron. Before you begin Back up your Metron configuration. Stop all Metron services Procedure 1. Uninstall Metron. In Ambari, select Metron, then under the Service Actions menu, click Delete Service. When prompted, enter "delete" to confirm deleting the service. 2. Remove all of the rpms from the old Metron version. CentOS a) From the Ambari node, enter the following to list all of the Metron packages: rpm -qa grep metron 4

Upgrade Metron You should see input similar to the following: metron_1_4_2_0_23-config-0.4.1.1.4.2.0-23.noarch b) Enter the following to list all of the Metron packages: sudo rpm -q --scripts metron_1_4_2_0_23-config-0.4.1.1.4.2.0-23.noarch You should see output similar to the following: chkconfig --add metron-management-ui chkconfig --add metron-alerts-ui preuninstall scriptlet (using /bin/sh): chkconfig --del metron-management-ui chkconfig --del metron-alerts-ui c) Remove each of the package: rmp remove $PACKAGE_NAME For example: Ubuntu sudo chkconfig --del metron-management-ui From the Ambari node, enter the following to delete all of the Metron packages: sudo aptitude purge $PACKAGE_NAME 3. Modify the /etc/yum.repos.d/hcp.repo file with the updated repo version: vi /etc/yum.repos.d/hcp.repo 4. Update the HCP.repo file. CentOS yum update Ubuntu apt-get update 5. Install the current HCP mpack repo from Release Notes. wget http://public-repo-1.hortonworks.com/hcp/centos7/1.x/updates/1.4.1.0/ tars/metron/hcp-ambari-mpack-1.4.1.0-18.tar.gz ambari-server install-mpack --force --mpack=/${mpack_download_directory/ hcp-ambari-mpack-1.4.1.0-18.tar.gz --verbose 6. Restart the Ambari server. ambari-server restart 7. Re-open Ambari and add back the updated Metron version. From the Actions menu, click Add Service, then click Metron from the Choose Services page. Ensure Metron is the updated version. Ambari lists each service on which Metron is dependent. 8. Click yes to add each dependency. 5

Upgrade Metron 9. In Ambari, add back your Metron configuration information in the Property fields. Do not copy and paste into the Metron property fields. You can inadvertently add a special character. 10. Click Deploy to start the Metron set up. The process to install, start, and test Metron will take a while. 11. Restart the Metron services: Metron REST Metron Management UI Metron Alerts UI Indexing 12. In the Management UI, restart the Metron Parsers including Enrichment, Bro, Snort, Yaf, and any other parsers you added previously. Management UI Note: Starting the Metron parsers might take a while. 13. Check the status of the parsers in the Storm UI. Storm UI 6

Mandatory Post-Upgrade Tasks Mandatory Post-Upgrade Tasks After you finish updating the Ambari M-Pack, depending on your configuration, you need to update the various features in your cluster. Upgrading Your Configuration Hortonworks Cybersecurity Platform (HCP) upgrade uses the default configuration for the new Metron version. If you made any changes to the Metron configuration in the previous version, you must incorporate those changes into the new Metron configuration. Changes to the Metron configuration can effect the following: Metron properties in Ambari ZooKeeper Incorporate changes from the ZooKeeper file you backed up earlier. Flux files Incorporate changes from the Flux files you backed up earlier. Changes to STELLAR Language Hortonworks Cybersecurity Platform (HCP) adds additional Stellar keywords to each new HCP version. These new keywords might cause compatablity issues where these reserved words and symbols are used in existing scripts. Check the Stellar Language Quick Reference for new and changed Stellar keywords. HCP 1.4.3 adds match to the Stellar lanaguage which introduces the following new reserved keywords and symbols: match, default, {,, => 7

Upgrading to Elasticsearch 5.6.2 You must modify any Stellar expressions that use these keywords not in quotes. Upgrading to Elasticsearch 5.6.2 There are a number of template changes in Elasticsearch 5.6.2, most notably around string type handling, that may cause issues when upgrading. For Elasticsearch 5.x, the existing indexes and templates need to upgraded. For more information, see: Updating Elasticsearch Templates Updating Existing Indexes If you are upgrading from Elasticsearch 2.x to Elasticsearch 5.6.2, you will need to re-index. Type Mapping Changes Type mappings in Elasticsearch 5.6.2 have changed from ES 2.x. This section provides an overview of the most significant changes. The following is a list of the major changes in Elasticsearch 5.6.2: String fields replaced by text/keyword type Strings have new default mappings as follows: { "text", "fields": { "keyword": { "keyword", "ignore_above": 256 There is no longer a _timestamp field that you can set "enabled" on. This field now causes an exception on templates. The Metron model has a timestamp field that is sufficient. The semantics for string types have changed. In 2.x, index settings are either "analyzed" or "not_analyzed" which means "full text" and "keyword", respectively. Analyzed text means the indexer will split the text using a text analyzer, thus allowing you to search on substrings within the original text. "New York" is split and indexed as two buckets, "New" and "York", so you can search or query for aggregate counts for those terms independently and match against the individual terms "New" or "York." "Keyword" means that the original text will not be split/analyzed during indexing and instead treated as a whole unit. For example, "New" or "York" will not match in searches against the document containing "New York", but searching on "New York" as the full city name will match. In Elasticsearch 5.6 language, instead of using the "index" setting, you now set the "type" to either "text" for full text, or "keyword" for keywords. Below is a table listing the changes to how String types are now handled. 8

Upgrading to Elasticsearch 5.6.2 sort, aggregate, or access values Elasticsearch 2.x Elasticsearch 5.x Example no "New York" handled via in-mem search as "New" and "York" buckets. No aggregation or sort. "my_property" : { "string", "index": "analyzed" "my_property" : { "text" Additional defaults: "index": "true", "fielddata": "false" yes "New York" handled via in-mem search as "New" and "York" buckets. Can aggregate and sort. "my_property": { "string", "index": "analyzed" "my_property": { "text", "fielddata": "true" yes "New York" searchable as single value. Can aggregate and sort. A search for "New" or "York" will not match against the whole value. "my_property": { "string", "index": "not_analyzed" "my_property" : { "keyword" yes "New York" searchable as single value or as text document, can aggregate and sort on the sub term "keyword." "my_property": { "string", "index": "analyzed" 9 "my_property": { "text", "fields": { "keyword": { "keyword", "ignore_above": 256

Troubleshooting If you want to set default string behavior for all strings for a given index and type, you can do so with a mapping similar to the following (replace ${your_type_here accordingly): # curl -XPUT 'http://${es_host:${es_port/_template/ default_string_template' -d ' { "template": "*", "mappings" : { "${your_type_here": { "dynamic_templates": [ { "strings": { "match_mapping_type": "string", "mapping": { "text" "fielddata": "true" ] By specifying the template property with value *, the template will apply to all indexes that have documents indexed of the specified type (${your_type_here). The following are other settings for types in ES: doc_values On-disk data structure Provides access for sorting, aggregation, and field values Stores same values as _source, but in column-oriented fashion better for sorting and aggregating Not supported on text fields Enabled by default fielddata In-memory data structure Provides access for sorting, aggregation, and field values Primarily for text fields Disabled by default because the heap space required can be large Troubleshooting If you run into issues with your upgrade use the following troubleshooting tips to identify and resolve those issues. Checking the Status of the Parsers If your parsers do not restart, you can use Ambari to check the status of the parsers and restart them. Procedure 1. Click the operation status tab at the top of the Ambari window. Ambari Summary Tab 10

Troubleshooting Ambari displays the Operations Running Status window. Ambari Background Operation Page 11

Troubleshooting 2. Click Start Metron Parsers. Ambari displays the Start Metron Parsers window. 3. Click the parser node you want to check, then click Metron Parsers Start. Ambari displays information on the status of the parser. Metron Parsers Start Page 12

Troubleshooting 4. Review the information in this window to determine the status of your parsers. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback