Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 68A33200C40 for ; Thu, 23 Mar 2017 18:48:13 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 66C12160B83; Thu, 23 Mar 2017 17:48:13 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 5ECF6160B68 for ; Thu, 23 Mar 2017 18:48:12 +0100 (CET) Received: (qmail 54444 invoked by uid 500); 23 Mar 2017 17:48:11 -0000 Mailing-List: contact user-help@eagle.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@eagle.apache.org Delivered-To: mailing list user@eagle.apache.org Received: (qmail 54434 invoked by uid 99); 23 Mar 2017 17:48:11 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Mar 2017 17:48:11 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1640F1AFB39 for ; Thu, 23 Mar 2017 17:48:11 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.797 X-Spam-Level: X-Spam-Status: No, score=-0.797 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=sqooba-io.20150623.gappssmtp.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id hTKIQscDnNuA for ; Thu, 23 Mar 2017 17:48:09 +0000 (UTC) Received: from mail-io0-f174.google.com (mail-io0-f174.google.com [209.85.223.174]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id C2A205FD9C for ; Thu, 23 Mar 2017 17:48:08 +0000 (UTC) Received: by mail-io0-f174.google.com with SMTP id f84so2151368ioj.0 for ; Thu, 23 Mar 2017 10:48:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sqooba-io.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=yJ+DsaIEP4K92TfSP+Oujj6gBXmNagFtTF31btKtJOc=; b=uhSswda8tq3SqvKYmoulT/qRY/W2mjmEFPKIejGv0zpHY3bYuBfUJejzi795HQg9qs OzJNMj/cwYsbfUuk8q1XxNA6eQFgSB3pjMRcOI0VodZbBfvGRU7VjbQzKGdqmJWkT68L 2/glRe+6VOh5Npmpzagkx6yjOShdHeptFYWXZLuRWIjxxX0OsC1Y/vV9w9vnMymObMGQ XR09djqnedzDO+BkpYeqYW2ce8r4J1ffU2LZQse328S23A+qtsn2NIwzdVgVVUvE1wXz R0YOXJG7mM1Va0AQzfViul3qYI9SC+f8GnjhCxYgFE5KdeeG8rEUwYS9Ko7FsPnH3c94 EA/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=yJ+DsaIEP4K92TfSP+Oujj6gBXmNagFtTF31btKtJOc=; b=CIWtmo94KgfI1ppmEQvtZxcsRDJVV1MSsG7e9CkO0HPG4KZ4EKAtnNgbwQLEVZSLi3 1300kunGk0hQ7bgySdaXV5ZzPaGpAXuHbCxJiVv/PZ2ziiV74k59UT27yANJate4S3tM u9CudKpz8zVNjIw26cagFFMXBcFtK3QOUVRSXEmMqz0k/NCeiff91FcpHB6g2NBCbn+Y 7mm2DlxuLlYUqAevttPdW7NiDMVPPd1vw9+ZwPIKUM/7HoRlhVU1dtc4ZAusef/h8rMr B0WLB7FuLePJepKMlZlxEZq9ggrT702+VHxVyFK5KIHHajilOzRLbatnV51FRYqZJS5V u00Q== X-Gm-Message-State: AFeK/H0Ya6OGxn0TPIb4nMxzmSNbFsfn8lh0W2tdo9j1G3Yh+6MuF7/EifZYVaToZHrnG2iiTAufM27oQsFPUw== X-Received: by 10.107.21.193 with SMTP id 184mr3626434iov.116.1490290883071; Thu, 23 Mar 2017 10:41:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.132.93 with HTTP; Thu, 23 Mar 2017 10:41:22 -0700 (PDT) In-Reply-To: <4BDF8AEE-DD28-4E1D-8B3D-80B2784D169E@gmail.com> References: <80FA1D61-A0DC-4F8B-83D3-5D14CD88ABB2@gmail.com> <4BDF8AEE-DD28-4E1D-8B3D-80B2784D169E@gmail.com> From: Jean Rossier Date: Thu, 23 Mar 2017 18:41:22 +0100 Message-ID: Subject: Re: HDFS Data Activity Monitoring - demo in Eagle To: user@eagle.apache.org Content-Type: multipart/alternative; boundary=94eb2c05e7b4b2d0ba054b696203 archived-at: Thu, 23 Mar 2017 17:48:13 -0000 --94eb2c05e7b4b2d0ba054b696203 Content-Type: text/plain; charset=UTF-8 Hi, ok I followed the quick start steps. I have a policy similar to the one shown in the page: "definition": { "type": "siddhi", "value": "from hdfs_audit_log_enriched_stream[user=='root'] select * insert into hdfs_audit_log_enriched_stream_out" } My stream 'hdfs_audit_log_enriched_stream' is linked to a Kafka topic, and I see logs from user 'root' flowing to this topic. However, I don't see any alert in the UI. I don't see any error log in eagle-server.log file either. I also set an email publishment, but I don't get any email. A few questions: 1. Do I need to define a publishment to see the alerts ? Or do the alerts appear in the alerts menu even if no publishment is linked to the policy ? 2. Could you point me some classes for which I could set a lower log level to get more insights on what happens in the process [read kafka topic] --> [apply siddhi filter] --> [create alert] thanks Jean On Wed, Mar 22, 2017 at 7:29 PM, SUDHA JENSLIN wrote: > Please follow this: https://cwiki.apache.org/confluence/display/EAG/ > Quick+Start+with+Alert+Engine+through+API. > > It has every step. > > Audit_log_alert is the publishment (named as hdfs_audit_log_enriched_ > stream_out > in the above given doc). > > > For publishment you can refer: > https://cwiki.apache.org/confluence/display/EAG/Policy > > > > -Sudha Jenslin > > On Mar 22, 2017, at 6:47 PM, Jean Rossier wrote: > > > 2. I read the examples given here: https://cwiki.apache. > org/confluence/display/EAG/Quick+Start+with+Alert+Engine+through+API. The > policy shown in this page (chapter 5.1) seems more consistant to me. I > would like to POST it to my eagle server, but > a. When installing the 'Hdfs Audit Log Monitor' application, it created > only one hdfs audit log stream (HDFS_AUDIT_LOG_ENRICHED_STREAM_SANDBOX). > How can I create another stream (e.g. HDFS_AUDIT_LOG_E > > > -- *Jean Rossier* *Sqooba (Schweiz) AG*Parkterrasse 14 3012 Bern eMail: jean@sqooba.io Mobile: +41 79 643 96 57 Web: www.sqooba.io --94eb2c05e7b4b2d0ba054b696203 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

ok I followed the quick start steps= .
I have a policy similar to the one shown in the page:
"definition": {
=C2=A0 =C2=A0 =C2=A0 "type&q= uot;: "siddhi",
=C2=A0 =C2=A0 =C2=A0 "value":= "from hdfs_audit_log_enriched_stream[user=3D=3D'root'] select= * insert into hdfs_audit_log_enriched_stream_out"
=C2=A0 = =C2=A0}
My stream 'hdfs_audit_log_enriched_stream' = is linked to a Kafka topic, and I see logs from user 'root' flowing= to this topic. However, I don't see any alert in the UI. I don't s= ee any error log in eagle-server.log file either.
I also set an e= mail publishment, but I don't get any email.

A= few questions:
1. Do I need to define a publishment to see the a= lerts ? Or do the alerts appear in the alerts menu even if no publishment i= s linked to the policy ?
2. Could you point me some classes for w= hich I could set a lower log level to get more insights on what happens in = the process [read kafka topic] --> [apply siddhi filter] --> [create = alert]

thanks
Jean

On Wed, Mar 22, 2017 at 7:2= 9 PM, SUDHA JENSLIN <sjenslin@gmail.com> wrote:

It has every step.
Audit_log_alert is the publishment (named as=C2=A0h= dfs_audit_log_enriched_stream_out
=C2=A0in the above = given doc).


For publishment you can= refer:
<= br>


-Sudha Jenslin

On Mar 22, 2017= , at 6:47 PM, Jean Rossier <jean@sqooba.io> wrote:


2. I read the examples given here:=C2=A0https://cwiki.apache.org/confluence/di= splay/EAG/Quick+Start+with+Alert+Engine+through+API. The poli= cy shown in this page (chapter 5.1) seems more consistant to me. I would li= ke to POST it to my eagle server, but
=C2=A0 a. When installing the &#= 39;Hdfs Audit Log Monitor' application, it created only one hdfs audit = log stream (HDFS_AUDIT_LOG_ENRICHED_STREAM_SANDBOX). How can I create = another stream (e.g.=C2=A0HDFS_AUDIT_LOG_E



-- <= br>

<= br>

Jean Rossier

Sqooba (Schweiz) AG
Parkterrasse 14=C2=A0
3012 Bern

eMail: =C2=A0=C2=A0jean@sqooba.io
Mobile: +41 79 643 96 57
= Web: =C2=A0 =C2=A0www.sqoob= a.io

--94eb2c05e7b4b2d0ba054b696203--