Starting Topologies and Sending Data

The final step in setting up Model as a Service, is to start the topologies and send some data to test the model.

  1. Start the sensor upon which the Model as a Service will run:

    $METRON_HOME/bin/ -k node1:6667 -z node1:2181 -s $PARSER_NAME
  2. Generate some legitimate data and some malicious data on the sensor.

    For example:

    #Legitimate example:
    #Malicious example:
  3. Send the data to Kafka:

    cat /var/log/squid/access.log | /usr/hdp/current/kafka-broker/bin/ --broker-list node1:6667 --topic squid
  4. Browse the data in Elasticsearch at http://node1:9100/_plugin/head to verify that it contains the appropriate documents. For the current example, you would see the following:

    • One from which does not have is_alert set and does have is_malicious set to legit.

    • One from which does have is_alert set to true, is_malicious set to malicious, and threat:triage:level set to 100.