This project fully automates the provisioning and deployment of Apache Metron and all necessary prerequisites on a single, virtualized host running CentOS 6.
Metron is composed of many components and installing all of these on a single host, especially a virtualized one, will greatly stress the resources of the host. The host will require at least 8 GB of RAM and a fair amount of patience. It is highly recommended that you shut down all unnecessary services.
The computer used to deploy Apache Metron will need to have the following components installed.
- Ansible 2.6.5
- Docker
- Vagrant 2.0+
- Vagrant Hostmanager Plugin
- Virtualbox 5.0+
- Python 2.7
- Maven 3.3.9
- C++11 compliant compiler, like GCC
Running the following script can help validate whether you have all the prerequisites installed and running correctly.
metron-deployment/scripts/platform-info.sh
Any platform that supports these tools is suitable, but the following instructions cover installation on macOS. The easiest means of installing these tools on a Mac is to use the excellent Homebrew project.
-
Install Homebrew by following the instructions at Homebrew.
-
Run the following command in a terminal to install all of the required tools.
brew cask install vagrant virtualbox docker brew cask install homebrew/cask-versions/adoptopenjdk8 brew install maven@3.3 git sudo pip install ansible==2.6.5 vagrant plugin install vagrant-hostmanager open /Applications/Docker.app
-
Ensure that the Docker service is running.
-
Deploy Metron
cd metron-deployment/development/centos6 vagrant up
Should the process fail before completing the deployment, the following command will continue the deployment process without re-instantiating the host.
vagrant provision
-
Set environment variable
export ANSIBLE_ARGS='--extra-vars "SKIP_RPMLINT=1"'
To disable running rpmlint as part of the dev deployment task - this can save a couple of minutes of time on the deployment. Either add this variable to your profile, or use it on the command line like
env ANSIBLE_ARGS='--extra-vars "SKIP_RPMLINT=1"' vagrant up
- To enable more verbose logging of ansible actions during the deployment, use
As this can produce large amounts of logging, it is best to redirect output to a file for later analysis.
env ANSIBLE_ARGS=' -vvvv' vagrant up
Navigate to the following resources to explore your newly minted Apache Metron environment.
- Metron Alerts credentials: user/password
- Ambari credentials: admin/admin
Connecting to the host through SSH is as simple as running the following command.
vagrant ssh
In addition to re-running the entire provisioning play book, you may now re-run an individual Ansible tag or a collection of tags in the following ways. The following commands will re-run the sensor-stubs
role on the Vagrant image. This will install and start the sensor stub components.
vagrant --ansible-tags="sensor-stubs" provision
Tags are listed in the playbooks. Here are some frequently used tags:
hdp-install
- Install HDPhdp-deploy
- Deploy and Start HDP Services (will start all Hadoop Services)sensors
- Deploy the sensors (see Sensors for more details regarding this tag)sensor-stubs
- Deploy and start the sensor stubs.
By default, the Metron development environment uses sensor stubs to mimic the behavior of the full sensors. This is done because the full sensors take a significant amount of time and CPU to build, install, and run.
From time to time you may want to install the full sensors for testing (see the specifics of what that means here). This can be done by running the following command:
vagrant --ansible-skip-tags="sensor-stubs" up
This will skip only the sensor-stubs
tag, allowing the ansible roles with the sensors
tag to be run. This provisions the full sensors in a 'testing mode' so that they are more active, and thus more useful for testing (more details on that here). However, when vagrant completes the sensors will NOT be running. In order to start the sensors and simulate traffic through them (which will create a fair amount of load on your test system), complete the below steps:
vagrant ssh
sudo su -
service pcap-replay restart
service yaf restart
service snortd restart
service snort-producer restart