Hortonworks Cybersecurity Platform
Start pcap

To start pcap, HCP provides a utility script. This script takes no arguments and is very simple to run.

  1. Log in to the host on which you are running Metron.
  2. If you are running HCP on an Ambari-managed cluster, perform the following steps; otherwise proceed with Step 3:

    1. You can retrieve the appropriate server information from Ambari in Kafka service > Configs > Kafka Broker > zookeeper.connect.
    2. On the HDFS host, create /apps/metron/pcap, change its ownership to metron:hadoop, and change its permissions to 775:
      hdfs dfs -mkdir /apps/metron/pcap
      hdfs dfs -chown metron:hadoop /apps/metron/pcap
      hdfs dfs -chmod 755 /apps/metron/pcap
    3. Create a Metron user's home directory on HDFS and change its ownership to the Metron user:
      hdfs dfs -mkdir /user/metron
      hdfs dfs -chown metron:hadoop /user/metron
      hdfs dfs -chmod 755 /user/metron
    4. Create a pcap topic in Kafka:
      • Switch to metron user:
        su - metron
      • Create a Kafka topic named pcap:
        /usr/hdp/current/kafka-broker/bin/kafka-topics.sh \
        --zookeeper $ZOOKEEPER_HOST:2181 \
        --create \
        --topic pcap \
        --partitions 1 \
        --replication-factor 1
      • List all of the Kafka topics, to ensure that the new pcap topic exists:
        /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper $ZOOKEEPER_HOST:2181 --list
  3. If HCP is installed on an Ambari-managed cluster, use the following command to tart the pcap topology:
    su - metron $METRON_HOME/bin/start_pcap_topology.sh
  4. If HCP is installed by CLI, use the following command to start the pcap topology.
  5. Check the Storm topology to ensure that packets are being captured.
    After Storm has captured a sufficient number of packets, you can check to ensure it is creating files on HDFS:
    hadoop fs -ls /apps/metron/pcap