METRON-1464 Convert schemas to be compatible with Solr 5.5.2 (merrimanr) closes apache/metron#945
Project: http://git-wip-us.apache.org/repos/asf/metron/repo Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/a7a41a55 Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/a7a41a55 Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/a7a41a55 Branch: refs/heads/master Commit: a7a41a55aa79b7fa3f64c51a4d968f011e8b11d1 Parents: 84cac7e Author: merrimanr <[email protected]> Authored: Thu Mar 8 11:52:42 2018 -0600 Committer: merrimanr <[email protected]> Committed: Thu Mar 8 11:52:42 2018 -0600 ---------------------------------------------------------------------- .../docker/rpm-docker/SPECS/metron.spec | 10 +- .../src/main/config/schema/bro/managed-schema | 693 ------------------- .../src/main/config/schema/bro/schema.xml | 693 +++++++++++++++++++ .../src/main/config/schema/error/managed-schema | 58 -- .../src/main/config/schema/error/schema.xml | 58 ++ .../main/config/schema/metaalert/managed-schema | 41 -- .../src/main/config/schema/metaalert/schema.xml | 41 ++ .../src/main/config/schema/snort/managed-schema | 86 --- .../src/main/config/schema/snort/schema.xml | 86 +++ .../src/main/config/schema/yaf/managed-schema | 92 --- .../src/main/config/schema/yaf/schema.xml | 92 +++ 11 files changed, 975 insertions(+), 975 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec b/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec index 5222efc..c7d37ed 100644 --- a/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec +++ b/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec @@ -232,15 +232,15 @@ This package installs the Metron Solr files %{metron_home}/bin/start_solr_topology.sh %{metron_home}/bin/stop_solr.sh %{metron_home}/config/solr.properties -%{metron_home}/config/schema/bro/managed-schema +%{metron_home}/config/schema/bro/schema.xml %{metron_home}/config/schema/bro/solrconfig.xml -%{metron_home}/config/schema/error/managed-schema +%{metron_home}/config/schema/error/schema.xml %{metron_home}/config/schema/error/solrconfig.xml -%{metron_home}/config/schema/metaalert/managed-schema +%{metron_home}/config/schema/metaalert/schema.xml %{metron_home}/config/schema/metaalert/solrconfig.xml -%{metron_home}/config/schema/snort/managed-schema +%{metron_home}/config/schema/snort/schema.xml %{metron_home}/config/schema/snort/solrconfig.xml -%{metron_home}/config/schema/yaf/managed-schema +%{metron_home}/config/schema/yaf/schema.xml %{metron_home}/config/schema/yaf/solrconfig.xml %attr(0644,root,root) %{metron_home}/lib/metron-solr-%{full_version}-uber.jar http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema b/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema deleted file mode 100644 index b473395..0000000 --- a/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema +++ /dev/null @@ -1,693 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" ?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<schema name="bro_doc" version="1.6"> - <!-- - WARNING - - Because Metron inserts many distinct bro records into a single ElasticSearch index - by default, it encounters field collisions due to field name reuse across bro logs. - - Be careful when modifying this file to not unintentionally affect other logs. - For instance, the "version" field exists in the HTTP, SSL, and SSH logs. If you - were to only consider the SSH log, you would set the type to integer, but because - in the SSL and HTTP logs version is a string, we must set the type to keyword. - --> - <field name="_version_" type="plong" indexed="false" stored="false"/> - <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> - - <!-- - * Metron-specific fields - --> - <field name="source.type" type="string" indexed="true" stored="true" /> - <field name="timestamp" type="timestamp" indexed="true" stored="true" /> - <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> - <uniqueKey>guid</uniqueKey> - - <!-- - * Widely-used Bro fields (potentially renamed during Metron ingest) - --> - <field name="uid" type="string" indexed="true" stored="true" /> - <field name="ip_src_addr" type="ip" indexed="true" stored="true" /> - <field name="ip_src_port" type="pint" indexed="true" stored="true" /> - <field name="ip_dst_addr" type="ip" indexed="true" stored="true" /> - <field name="ip_dst_port" type="pint" indexed="true" stored="true" /> - - <!-- - * HTTP log support - * https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info - * - * Notable Fields - * Field: method - * Notes: Field exists in the HTTP and SIP logs - * - * Field: uri - * Notes: Field exists in the HTTP and SIP logs - * - * Field: password - * Notes: Field exists in the HTTP and FTP logs - * - * Field: capture_password - * Notes: Field exists in the HTTP and FTP logs - * - * Field: trans_depth - * Notes: Field exists in the HTTP, SMTP, and SIP logs - * - * Field: user_agent - * Notes: Field exists in the HTTP, SMTP, and SIP logs - * - * Field: version - * Notes: Field exists in the HTTP, SSL, and SSH logs - * - * Field: host - * Notes: Field exists in the HTTP, KnownCerts, and Software logs - * - * Field: username - * Notes: Field exists in the HTTP and RADIUS logs - * - * Field: status_code - * Notes: Field exists in the HTTP and SIP logs - * - * Field: status_msg - * Notes: Field exists in the HTTP and SIP logs - * - * Field: request_body_len - * Notes: Field exists in the HTTP and SIP logs - * - * Field: response_body_len - * Notes: Field exists in the HTTP and SIP logs - --> - <field name="trans_depth" type="pint" indexed="true" stored="true" /> - <field name="method" type="string" indexed="true" stored="true" /> - <field name="host" type="string" indexed="true" stored="true" /> - <field name="uri" type="string" indexed="true" stored="true" /> - <field name="referrer" type="string" indexed="true" stored="true" /> - <field name="version" type="string" indexed="true" stored="true" /> - <field name="user_agent" type="string" indexed="true" stored="true" /> - <field name="request_body_len" type="plong" indexed="true" stored="true" /> - <field name="response_body_len" type="plong" indexed="true" stored="true" /> - <field name="status_code" type="pint" indexed="true" stored="true" /> - <field name="status_msg" type="string" indexed="true" stored="true" /> - <field name="info_code" type="pint" indexed="true" stored="true" /> - <field name="info_msg" type="string" indexed="true" stored="true" /> - <field name="tags" type="string" indexed="true" stored="true" multiValued="true" /> - <field name="username" type="string" indexed="true" stored="true" /> - <field name="password" type="string" indexed="true" stored="true" /> - <field name="proxied" type="string" indexed="true" stored="true" /> - <field name="orig_fuids" type="string" indexed="true" stored="true" multiValued="true"/> - <field name="orig_filenames" type="string" indexed="true" stored="true" /> - <field name="orig_mime_types" type="string" indexed="true" stored="true" multiValued="true" /> - <field name="resp_fuids" type="string" indexed="true" stored="true" multiValued="true" /> - <field name="resp_filenames" type="string" indexed="true" stored="true" /> - <field name="resp_mime_types" type="string" indexed="true" stored="true" multiValued="true" /> - - <!-- - * DNS log support - * https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html#type-DNS::Info - * - * Notable Fields - * Field: proto - * Notes: Field exists in the DNS, Conn, DPD, and Notice logs - * - * Field: trans_id - * Notes: Field exists in the DNS and DHCP logs - * - * Field: rtt - * Notes: This field uses the "interval" type, which may need handled differently. - * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval - --> - <field name="proto" type="string" indexed="true" stored="true" /> - <field name="trans_id" type="plong" indexed="true" stored="true" /> - <field name="rtt" type="string" indexed="true" stored="true" /> - - <field name="query" type="string" indexed="true" stored="true" /> - <field name="qclass" type="pint" indexed="true" stored="true" /> - <field name="qclass_name" type="string" indexed="true" stored="true" /> - <field name="qtype" type="pint" indexed="true" stored="true" /> - <field name="qtype_name" type="string" indexed="true" stored="true" /> - <field name="rcode" type="pint" indexed="true" stored="true" /> - <field name="rcode_name" type="string" indexed="true" stored="true" /> - <field name="AA" type="boolean" indexed="true" stored="true" /> - <field name="TC" type="boolean" indexed="true" stored="true" /> - <field name="RD" type="boolean" indexed="true" stored="true" /> - <field name="RA" type="boolean" indexed="true" stored="true" /> - <field name="Z" type="pint" indexed="true" stored="true" /> - <field name="answers" type="string" indexed="true" stored="true" /> - <field name="TTLs" type="string" indexed="true" stored="true" /> - <field name="rejected" type="boolean" indexed="true" stored="true" /> - <!-- - * Conn log support - * https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info - * - * Notable Fields - * Field: proto - * Notes: Field exists in the DNS, Conn, DPD, and Notice logs - * - * Field: duration - * Notes: Field exists in the Conn and Files logs - * - * Field: local_orig - * Notes: Field exists in the Conn and Files logs - --> - <field name="service" type="string" indexed="true" stored="true" /> - <field name="duration" type="pfloat" indexed="true" stored="true" /> - <field name="orig_bytes" type="plong" indexed="true" stored="true" /> - <field name="resp_bytes" type="plong" indexed="true" stored="true" /> - <field name="conn_state" type="string" indexed="true" stored="true" /> - <field name="local_orig" type="boolean" indexed="true" stored="true" /> - - <field name="local_resp" type="string" indexed="true" stored="true" /> - <field name="missed_bytes" type="plong" indexed="true" stored="true" /> - <field name="history" type="string" indexed="true" stored="true" /> - <field name="orig_pkts" type="plong" indexed="true" stored="true" /> - <field name="orig_ip_bytes" type="plong" indexed="true" stored="true" /> - <field name="resp_pkts" type="plong" indexed="true" stored="true" /> - <field name="resp_ip_bytes" type="plong" indexed="true" stored="true" /> - <field name="tunnel_parents" type="string" indexed="true" stored="true" /> - <!-- - * DPD log support - * https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info - * - * Notable Fields - * Field: proto - * Notes: Field exists in the DNS, Conn, DPD, and Notice logs - --> - <field name="analyzer" type="string" indexed="true" stored="true" /> - <field name="failure_reason" type="string" indexed="true" stored="true" /> - <!-- - * FTP log support - * https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info - * - * Notable Fields - * Field: password - * Notes: Field exists in the HTTP and FTP logs - * - * Field: capture_password - * Notes: Field exists in the HTTP and FTP logs - * - * Field: mime_type - * Notes: Field exists in the FTP and Files logs - * - * Field: fuid - * Notes: Field exists in the FTP, Files, and Notice logs - --> - <field name="user" type="string" indexed="true" stored="true" /> - <field name="command" type="string" indexed="true" stored="true" /> - <field name="arg" type="string" indexed="true" stored="true" /> - <field name="mime_type" type="string" indexed="true" stored="true" /> - <field name="file_size" type="plong" indexed="true" stored="true" /> - <field name="reply_code" type="pint" indexed="true" stored="true" /> - <field name="reply_msg" type="string" indexed="true" stored="true" /> - <field name="data_channel.passive" type="boolean" indexed="true" stored="true" /> - <field name="data_channel.orig_h" type="ip" indexed="true" stored="true" /> - <field name="data_channel.resp_h" type="ip" indexed="true" stored="true" /> - <field name="data_channel.resp_p" type="pint" indexed="true" stored="true" /> - <field name="cwd" type="string" indexed="true" stored="true" /> - <field name="passive" type="boolean" indexed="true" stored="true" /> - <field name="fuid" type="string" indexed="true" stored="true" /> - <!-- - * Files log support - * https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info - * - * Notable Fields - * Field: tx_hosts - * Notes: Metron rewrites this to "ip_src_addr" - * - * Field: rx_hosts - * Notes: Metron rewrites this to "ip_dst_addr" - * - * Field: mime_type - * Notes: Field exists in the FTP and Files logs - * - * Field: duration - * Notes: Field exists in the Conn and Files logs - * - * Field: local_orig - * Notes: Field exists in the Conn and Files logs - * - * Field: fuid - * Notes: Field exists in the FTP, Files, and Notice logs - --> - <field name="conn_uids" type="string" indexed="true" stored="true" /> - <field name="source" type="string" indexed="true" stored="true" /> - <field name="depth" type="pint" indexed="true" stored="true" /> - <field name="analyzers" type="string" indexed="true" stored="true" /> - <field name="filename" type="string" indexed="true" stored="true" /> - <field name="is_orig" type="boolean" indexed="true" stored="true" /> - <field name="seen_bytes" type="plong" indexed="true" stored="true" /> - <field name="total_bytes" type="plong" indexed="true" stored="true" /> - <field name="missing_bytes" type="plong" indexed="true" stored="true" /> - <field name="overflow_bytes" type="plong" indexed="true" stored="true" /> - <field name="timedout" type="boolean" indexed="true" stored="true" /> - <field name="parent_fuid" type="string" indexed="true" stored="true" /> - <field name="md5" type="string" indexed="true" stored="true" /> - <field name="sha1" type="string" indexed="true" stored="true" /> - <field name="sha256" type="string" indexed="true" stored="true" /> - <field name="extracted" type="string" indexed="true" stored="true" /> - <field name="extracted_cutoff" type="boolean" indexed="true" stored="true" /> - <field name="extracted_size" type="plong" indexed="true" stored="true" /> - - <!-- - * Known::CertInfo log support - * https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo - * - * Notable Fields - * Field: host - * Notes: Field exists in the HTTP, KnownCerts, and Software logs - * - * Field: subject - * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs - --> - <field name="port_num" type="pint" indexed="true" stored="true" /> - <field name="subject" type="string" indexed="true" stored="true" /> - <field name="issuer_subject" type="string" indexed="true" stored="true" /> - <field name="serial" type="string" indexed="true" stored="true" /> - - <!-- - * SMTP log support - * https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info - * - * Notable Fields - * Field: trans_depth - * Notes: Field exists in the HTTP, SMTP, and SIP logs - * - * Field: date - * Notes: Field exists in the SMTP and SIP logs - * - * Field: subject - * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs - * - * Field: reply_to - * Notes: Field exists in the SMTP and SIP logs - * - * Field: user_agent - * Notes: Field exists in the HTTP, SMTP, and SIP logs - --> - <field name="helo" type="string" indexed="true" stored="true" /> - <field name="mailfrom" type="string" indexed="true" stored="true" /> - <field name="rcptto" type="string" indexed="true" stored="true" /> - <field name="date" type="string" indexed="true" stored="true" /> - <field name="from" type="string" indexed="true" stored="true" /> - <field name="to" type="string" indexed="true" stored="true" /> - <field name="cc" type="string" indexed="true" stored="true" /> - <field name="reply_to" type="string" indexed="true" stored="true" /> - <field name="msg_id" type="string" indexed="true" stored="true" /> - <field name="in_reply_to" type="string" indexed="true" stored="true" /> - <field name="x_originating_ip" type="ip" indexed="true" stored="true" /> - <field name="first_received" type="string" indexed="true" stored="true" /> - <field name="second_received" type="string" indexed="true" stored="true" /> - <field name="last_reply" type="string" indexed="true" stored="true" /> - <field name="path" type="string" indexed="true" stored="true" /> - <field name="tls" type="boolean" indexed="true" stored="true" /> - <field name="fuids" type="string" indexed="true" stored="true" /> - <field name="is_webmail" type="boolean" indexed="true" stored="true" /> - - <!-- - * SSL log support - * https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info - * - * Notable Fields - * Field: version - * Notes: Field exists in the HTTP, SSL, and SSH logs - * - * Field: subject - * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs - --> - <field name="cipher" type="string" indexed="true" stored="true" /> - <field name="curve" type="string" indexed="true" stored="true" /> - <field name="server_name" type="string" indexed="true" stored="true" /> - <field name="resumed" type="boolean" indexed="true" stored="true" /> - <field name="server_appdata" type="string" indexed="true" stored="true" /> - <field name="client_appdata" type="boolean" indexed="true" stored="true" /> - <field name="last_alert" type="string" indexed="true" stored="true" /> - <field name="next_protocol" type="string" indexed="true" stored="true" /> - <field name="established" type="boolean" indexed="true" stored="true" /> - <field name="cert_chain_fuids" type="string" indexed="true" stored="true" /> - <field name="client_cert_chain_fuids" type="string" indexed="true" stored="true" /> - <field name="issuer" type="string" indexed="true" stored="true" /> - <field name="client_subject" type="string" indexed="true" stored="true" /> - <field name="client_issuer" type="string" indexed="true" stored="true" /> - <field name="validation_status" type="string" indexed="true" stored="true" /> - <!-- - * Weird log support - * https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info - * - * Notable Fields - * Field: peer - * Notes: Field exists in the Weird, CaptureLoss, and Stats logs - * - * Field: name - * Notes: Field exists in the Weird and LoadedScripts logs - --> - <field name="name" type="string" indexed="true" stored="true" /> - <field name="addl" type="string" indexed="true" stored="true" /> - <field name="notice" type="boolean" indexed="true" stored="true" /> - <field name="peer" type="string" indexed="true" stored="true" /> - - <!-- - * Notice log support - * https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info - * - * Notable Fields - * Field: fuid - * Notes: Field exists in the FTP, Files, and Notice logs - * - * Field: proto - * Notes: Field exists in the DNS, Conn, DPD, and Notice logs - * - * Field: remote_location:country_code - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:region - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:city - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:latitude - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:longitude - * Notes: Field exists in the Notice and SSH logs - --> - <field name="file_mime_type" type="string" indexed="true" stored="true" /> - <field name="file_desc" type="string" indexed="true" stored="true" /> - <field name="note" type="string" indexed="true" stored="true" /> - <field name="msg" type="string" indexed="true" stored="true" /> - <field name="sub" type="string" indexed="true" stored="true" /> - <field name="src" type="ip" indexed="true" stored="true" /> - <field name="dst" type="ip" indexed="true" stored="true" /> - <field name="p" type="pint" indexed="true" stored="true" /> - <field name="n" type="pint" indexed="true" stored="true" /> - <field name="src_peer" type="ip" indexed="true" stored="true" /> - <field name="peer_descr" type="string" indexed="true" stored="true" /> - <field name="actions" type="string" indexed="true" stored="true" /> - <field name="suppress_for" type="pdouble" indexed="true" stored="true" /> - <field name="dropped" type="boolean" indexed="true" stored="true" /> - <field name="remote_location.country_code" type="string" indexed="true" stored="true" /> - <field name="remote_location.region" type="string" indexed="true" stored="true" /> - <field name="remote_location.city" type="string" indexed="true" stored="true" /> - <field name="remote_location.latitude" type="pdouble" indexed="true" stored="true" /> - <field name="remote_location.longitude" type="pdouble" indexed="true" stored="true" /> - - <!-- - * DHCP log support - * https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info - * - * Notable Fields - * Field: mac - * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs - * - * Field: trans_id - * Notes: Field exists in the DNS and DHCP logs - --> - <field name="mac" type="string" indexed="true" stored="true" /> - <field name="assigned_ip" type="ip" indexed="true" stored="true" /> - <field name="lease_time" type="pfloat" indexed="true" stored="true" /> - <!-- - * SSH log support - * https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info - * - * Notable Fields - * Field: version - * Notes: Field exists in the HTTP, SSL, and SSH logs - * - * Field: remote_location:country_code - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:region - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:city - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:latitude - * Notes: Field exists in the Notice and SSH logs - * - * Field: remote_location:longitude - * Notes: Field exists in the Notice and SSH logs - --> - <field name="auth_success" type="boolean" indexed="true" stored="true" /> - <field name="auth_attempts" type="pint" indexed="true" stored="true" /> - <field name="direction" type="string" indexed="true" stored="true" /> - <field name="client" type="string" indexed="true" stored="true" /> - <field name="server" type="string" indexed="true" stored="true" /> - <field name="cipher_alg" type="string" indexed="true" stored="true" /> - <field name="mac_alg" type="string" indexed="true" stored="true" /> - <field name="compression_alg" type="string" indexed="true" stored="true" /> - <field name="kex_alg" type="string" indexed="true" stored="true" /> - <field name="host_key_alg" type="string" indexed="true" stored="true" /> - <field name="host_key" type="string" indexed="true" stored="true" /> - - <!-- - * Software log support - * https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info - * - * Notable Fields - * Field: host - * Notes: Field exists in the HTTP, KnownCerts, and Software logs - --> - <field name="host_p" type="pint" indexed="true" stored="true" /> - <field name="software_type" type="string" indexed="true" stored="true" /> - <field name="version.major" type="string" indexed="true" stored="true" /> - <field name="version.minor" type="string" indexed="true" stored="true" /> - <field name="version.minor2" type="string" indexed="true" stored="true" /> - <field name="version.minor3" type="string" indexed="true" stored="true" /> - <field name="version.addl" type="string" indexed="true" stored="true" /> - <field name="unparsed_version" type="string" indexed="true" stored="true" /> - - <!-- - * RADIUS log support - * https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info - * - * Notable Fields - * Field: username - * Notes: Field exists in the HTTP and RADIUS logs - * - * Field: mac - * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs - * - * Field: ttl - * Notes: This field uses the "interval" type, which may need handled differently. - * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval - --> - <field name="framed_addr" type="ip" indexed="true" stored="true" /> - <field name="remote_ip" type="ip" indexed="true" stored="true" /> - <field name="connect_info" type="string" indexed="true" stored="true" /> - <field name="result" type="string" indexed="true" stored="true" /> - <field name="ttl" type="string" indexed="true" stored="true" /> - - <!-- - * X509 log support - * https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info - * - * Notable Fields - * Field: id - * Notes: In other bro records, the id field is of type conn_id, so it is - * expanded before being logged into 4 fields, all of which are addressed - * under the "Widely-used Bro fields" section of this template. In X509 - * logs, however, id is a keyword to identify the certificate file id. - --> - <field name="id" type="string" indexed="true" stored="true" /> - <field name="certificate.version" type="pint" indexed="true" stored="true" /> - <field name="certificate.serial" type="string" indexed="true" stored="true" /> - <field name="certificate.subject" type="string" indexed="true" stored="true" /> - <field name="certificate.issuer" type="string" indexed="true" stored="true" /> - <field name="certificate.not_valid_before" type="string" indexed="true" stored="true" /> - <field name="certificate.not_valid_after" type="string" indexed="true" stored="true" /> - <field name="certificate.key_alg" type="string" indexed="true" stored="true" /> - <field name="certificate.sig_alg" type="string" indexed="true" stored="true" /> - <field name="certificate.key_type" type="string" indexed="true" stored="true" /> - <field name="certificate.key_length" type="pint" indexed="true" stored="true" /> - <field name="certificate.exponent" type="string" indexed="true" stored="true" /> - <field name="certificate.curve" type="string" indexed="true" stored="true" /> - <field name="san.dns" type="string" indexed="true" stored="true" /> - <field name="san.uri" type="string" indexed="true" stored="true" /> - <field name="san.email" type="string" indexed="true" stored="true" /> - <field name="san.ip" type="string" indexed="true" stored="true" /> - <field name="basic_constraints.ca" type="boolean" indexed="true" stored="true" /> - <field name="basic_constraints.path_len" type="pint" indexed="true" stored="true" /> - - <!-- - * Known::DevicesInfo log support - * https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo - * - * Notable Fields - * Field: mac - * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs - --> - <field name="dhcp_host_name" type="string" indexed="true" stored="true" /> - <!-- - * RFB::Info log support - * https://www.bro.org/sphinx-git/scripts/base/protocols/rfb/main.bro.html#type-RFB::Info - --> - <field name="client_major_version" type="string" indexed="true" stored="true" /> - <field name="client_minor_version" type="string" indexed="true" stored="true" /> - <field name="server_major_version" type="string" indexed="true" stored="true" /> - <field name="server_minor_version" type="string" indexed="true" stored="true" /> - <field name="authentication_method" type="string" indexed="true" stored="true" /> - <field name="auth" type="boolean" indexed="true" stored="true" /> - <field name="share_flag" type="boolean" indexed="true" stored="true" /> - <field name="desktop_name" type="string" indexed="true" stored="true" /> - <field name="width" type="pint" indexed="true" stored="true" /> - <field name="height" type="pint" indexed="true" stored="true" /> - - <!-- - * Stats::Info log support - * https://www.bro.org/sphinx/scripts/policy/misc/stats.bro.html#type-Stats::Info - * - * Notable Fields - * Field: peer - * Notes: Field exists in the Weird, CaptureLoss, and Stats logs - * - * Field: pkt_lag - * Notes: This field uses the "interval" type, which may need handled differently. - * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval - --> - <field name="mem" type="pint" indexed="true" stored="true" /> - <field name="pkts_proc" type="pint" indexed="true" stored="true" /> - <field name="bytes_recv" type="pint" indexed="true" stored="true" /> - <field name="pkts_dropped" type="pint" indexed="true" stored="true" /> - <field name="pkts_link" type="pint" indexed="true" stored="true" /> - <field name="pkt_lag" type="string" indexed="true" stored="true" /> - <field name="events_proc" type="pint" indexed="true" stored="true" /> - <field name="events_queued" type="pint" indexed="true" stored="true" /> - <field name="active_tcp_conns" type="pint" indexed="true" stored="true" /> - <field name="active_udp_conns" type="pint" indexed="true" stored="true" /> - <field name="active_icmp_conns" type="pint" indexed="true" stored="true" /> - <field name="tcp_conns" type="pint" indexed="true" stored="true" /> - <field name="udp_conns" type="pint" indexed="true" stored="true" /> - <field name="icmp_conns" type="pint" indexed="true" stored="true" /> - <field name="timers" type="pint" indexed="true" stored="true" /> - <field name="active_timers" type="pint" indexed="true" stored="true" /> - <field name="files" type="pint" indexed="true" stored="true" /> - <field name="active_files" type="pint" indexed="true" stored="true" /> - <field name="dns_requests" type="pint" indexed="true" stored="true" /> - <field name="active_dns_requests" type="pint" indexed="true" stored="true" /> - <field name="reassem_tcp_size" type="pint" indexed="true" stored="true" /> - <field name="reassem_file_size" type="pint" indexed="true" stored="true" /> - <field name="reassem_frag_size" type="pint" indexed="true" stored="true" /> - <field name="reassem_unknown_size" type="pint" indexed="true" stored="true" /> - - <!-- - * CaptureLoss::Info log support - * https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info - * - * Notable Fields - * Field: ts_delta - * Notes: This field uses the "interval" type, which may need handled differently. - * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval - * - * Field: peer - * Notes: Field exists in the Weird, CaptureLoss, and Stats logs - --> - <field name="ts_delta" type="string" indexed="true" stored="true" /> - <field name="gaps" type="pint" indexed="true" stored="true" /> - <field name="acks" type="pint" indexed="true" stored="true" /> - <field name="percent_lost" type="pdouble" indexed="true" stored="true" /> - - <!-- - * Reporter::Info log support - * https://www.bro.org/sphinx/scripts/base/frameworks/reporter/main.bro.html#type-Reporter::Info - --> - <field name="level" type="string" indexed="true" stored="true" /> - <field name="message" type="string" indexed="true" stored="true" /> - <field name="location" type="string" indexed="true" stored="true" /> - - <!-- - * SIP::Info log support - * https://www.bro.org/sphinx/scripts/base/protocols/sip/main.bro.html#type-SIP::Info - * - * Notable Fields - * Field: trans_depth - * Notes: Field exists in the HTTP, SMTP, and SIP logs - * - * Field: method - * Notes: Field exists in the HTTP and SIP logs - * - * Field: uri - * Notes: Field exists in the HTTP and SIP logs - * - * Field: date - * Notes: Field exists in the SMTP and SIP logs - * - * Field: reply_to - * Notes: Field exists in the SMTP and SIP logs - * - * Field: subject - * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs - * - * Field: user_agent - * Notes: Field exists in the HTTP, SMTP, and SIP logs - * - * Field: status_code - * Notes: Field exists in the HTTP and SIP logs - * - * Field: status_msg - * Notes: Field exists in the HTTP and SIP logs - * - * Field: request_body_len - * Notes: Field exists in the HTTP and SIP logs - * - * Field: response_body_len - * Notes: Field exists in the HTTP and SIP logs - --> - <field name="request_from" type="string" indexed="true" stored="true" /> - <field name="request_to" type="string" indexed="true" stored="true" /> - <field name="response_from" type="string" indexed="true" stored="true" /> - <field name="response_to" type="string" indexed="true" stored="true" /> - <field name="call_id" type="string" indexed="true" stored="true" /> - <field name="seq" type="string" indexed="true" stored="true" /> - <field name="request_path" type="string" indexed="true" stored="true" /> - <field name="response_path" type="string" indexed="true" stored="true" /> - <field name="warning" type="string" indexed="true" stored="true" /> - <field name="content_type" type="string" indexed="true" stored="true" /> - - <!-- Geo Enrichment Fields --> - <dynamicField name="*.location_point" type="location" multiValued="false" docValues="true"/> - <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/> - - <!-- Performance Debugging Fields --> - <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/> - - <!-- Threat Intel Scoring Fields --> - <field name="is_alert" type="boolean" indexed="true" stored="true" /> - <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/> - - <!-- Catch all, if we don't know about it, it gets dropped. --> - <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> - - <!-- Type Definitions --> - <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> - <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/> - <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/> - <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> -</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml b/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml new file mode 100644 index 0000000..4ce8d6b --- /dev/null +++ b/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml @@ -0,0 +1,693 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="bro_doc" version="1.6"> + <!-- + WARNING + + Because Metron inserts many distinct bro records into a single ElasticSearch index + by default, it encounters field collisions due to field name reuse across bro logs. + + Be careful when modifying this file to not unintentionally affect other logs. + For instance, the "version" field exists in the HTTP, SSL, and SSH logs. If you + were to only consider the SSH log, you would set the type to integer, but because + in the SSL and HTTP logs version is a string, we must set the type to keyword. + --> + <field name="_version_" type="plong" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> + + <!-- + * Metron-specific fields + --> + <field name="source.type" type="string" indexed="true" stored="true" /> + <field name="timestamp" type="timestamp" indexed="true" stored="true" /> + <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> + <uniqueKey>guid</uniqueKey> + + <!-- + * Widely-used Bro fields (potentially renamed during Metron ingest) + --> + <field name="uid" type="string" indexed="true" stored="true" /> + <field name="ip_src_addr" type="ip" indexed="true" stored="true" /> + <field name="ip_src_port" type="pint" indexed="true" stored="true" /> + <field name="ip_dst_addr" type="ip" indexed="true" stored="true" /> + <field name="ip_dst_port" type="pint" indexed="true" stored="true" /> + + <!-- + * HTTP log support + * https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info + * + * Notable Fields + * Field: method + * Notes: Field exists in the HTTP and SIP logs + * + * Field: uri + * Notes: Field exists in the HTTP and SIP logs + * + * Field: password + * Notes: Field exists in the HTTP and FTP logs + * + * Field: capture_password + * Notes: Field exists in the HTTP and FTP logs + * + * Field: trans_depth + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: user_agent + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: version + * Notes: Field exists in the HTTP, SSL, and SSH logs + * + * Field: host + * Notes: Field exists in the HTTP, KnownCerts, and Software logs + * + * Field: username + * Notes: Field exists in the HTTP and RADIUS logs + * + * Field: status_code + * Notes: Field exists in the HTTP and SIP logs + * + * Field: status_msg + * Notes: Field exists in the HTTP and SIP logs + * + * Field: request_body_len + * Notes: Field exists in the HTTP and SIP logs + * + * Field: response_body_len + * Notes: Field exists in the HTTP and SIP logs + --> + <field name="trans_depth" type="pint" indexed="true" stored="true" /> + <field name="method" type="string" indexed="true" stored="true" /> + <field name="host" type="string" indexed="true" stored="true" /> + <field name="uri" type="string" indexed="true" stored="true" /> + <field name="referrer" type="string" indexed="true" stored="true" /> + <field name="version" type="string" indexed="true" stored="true" /> + <field name="user_agent" type="string" indexed="true" stored="true" /> + <field name="request_body_len" type="plong" indexed="true" stored="true" /> + <field name="response_body_len" type="plong" indexed="true" stored="true" /> + <field name="status_code" type="pint" indexed="true" stored="true" /> + <field name="status_msg" type="string" indexed="true" stored="true" /> + <field name="info_code" type="pint" indexed="true" stored="true" /> + <field name="info_msg" type="string" indexed="true" stored="true" /> + <field name="tags" type="string" indexed="true" stored="true" multiValued="true" /> + <field name="username" type="string" indexed="true" stored="true" /> + <field name="password" type="string" indexed="true" stored="true" /> + <field name="proxied" type="string" indexed="true" stored="true" /> + <field name="orig_fuids" type="string" indexed="true" stored="true" multiValued="true"/> + <field name="orig_filenames" type="string" indexed="true" stored="true" /> + <field name="orig_mime_types" type="string" indexed="true" stored="true" multiValued="true" /> + <field name="resp_fuids" type="string" indexed="true" stored="true" multiValued="true" /> + <field name="resp_filenames" type="string" indexed="true" stored="true" /> + <field name="resp_mime_types" type="string" indexed="true" stored="true" multiValued="true" /> + + <!-- + * DNS log support + * https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html#type-DNS::Info + * + * Notable Fields + * Field: proto + * Notes: Field exists in the DNS, Conn, DPD, and Notice logs + * + * Field: trans_id + * Notes: Field exists in the DNS and DHCP logs + * + * Field: rtt + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval + --> + <field name="proto" type="string" indexed="true" stored="true" /> + <field name="trans_id" type="plong" indexed="true" stored="true" /> + <field name="rtt" type="string" indexed="true" stored="true" /> + + <field name="query" type="string" indexed="true" stored="true" /> + <field name="qclass" type="pint" indexed="true" stored="true" /> + <field name="qclass_name" type="string" indexed="true" stored="true" /> + <field name="qtype" type="pint" indexed="true" stored="true" /> + <field name="qtype_name" type="string" indexed="true" stored="true" /> + <field name="rcode" type="pint" indexed="true" stored="true" /> + <field name="rcode_name" type="string" indexed="true" stored="true" /> + <field name="AA" type="boolean" indexed="true" stored="true" /> + <field name="TC" type="boolean" indexed="true" stored="true" /> + <field name="RD" type="boolean" indexed="true" stored="true" /> + <field name="RA" type="boolean" indexed="true" stored="true" /> + <field name="Z" type="pint" indexed="true" stored="true" /> + <field name="answers" type="string" indexed="true" stored="true" /> + <field name="TTLs" type="string" indexed="true" stored="true" /> + <field name="rejected" type="boolean" indexed="true" stored="true" /> + <!-- + * Conn log support + * https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info + * + * Notable Fields + * Field: proto + * Notes: Field exists in the DNS, Conn, DPD, and Notice logs + * + * Field: duration + * Notes: Field exists in the Conn and Files logs + * + * Field: local_orig + * Notes: Field exists in the Conn and Files logs + --> + <field name="service" type="string" indexed="true" stored="true" /> + <field name="duration" type="pfloat" indexed="true" stored="true" /> + <field name="orig_bytes" type="plong" indexed="true" stored="true" /> + <field name="resp_bytes" type="plong" indexed="true" stored="true" /> + <field name="conn_state" type="string" indexed="true" stored="true" /> + <field name="local_orig" type="boolean" indexed="true" stored="true" /> + + <field name="local_resp" type="string" indexed="true" stored="true" /> + <field name="missed_bytes" type="plong" indexed="true" stored="true" /> + <field name="history" type="string" indexed="true" stored="true" /> + <field name="orig_pkts" type="plong" indexed="true" stored="true" /> + <field name="orig_ip_bytes" type="plong" indexed="true" stored="true" /> + <field name="resp_pkts" type="plong" indexed="true" stored="true" /> + <field name="resp_ip_bytes" type="plong" indexed="true" stored="true" /> + <field name="tunnel_parents" type="string" indexed="true" stored="true" /> + <!-- + * DPD log support + * https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info + * + * Notable Fields + * Field: proto + * Notes: Field exists in the DNS, Conn, DPD, and Notice logs + --> + <field name="analyzer" type="string" indexed="true" stored="true" /> + <field name="failure_reason" type="string" indexed="true" stored="true" /> + <!-- + * FTP log support + * https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info + * + * Notable Fields + * Field: password + * Notes: Field exists in the HTTP and FTP logs + * + * Field: capture_password + * Notes: Field exists in the HTTP and FTP logs + * + * Field: mime_type + * Notes: Field exists in the FTP and Files logs + * + * Field: fuid + * Notes: Field exists in the FTP, Files, and Notice logs + --> + <field name="user" type="string" indexed="true" stored="true" /> + <field name="command" type="string" indexed="true" stored="true" /> + <field name="arg" type="string" indexed="true" stored="true" /> + <field name="mime_type" type="string" indexed="true" stored="true" /> + <field name="file_size" type="plong" indexed="true" stored="true" /> + <field name="reply_code" type="pint" indexed="true" stored="true" /> + <field name="reply_msg" type="string" indexed="true" stored="true" /> + <field name="data_channel.passive" type="boolean" indexed="true" stored="true" /> + <field name="data_channel.orig_h" type="ip" indexed="true" stored="true" /> + <field name="data_channel.resp_h" type="ip" indexed="true" stored="true" /> + <field name="data_channel.resp_p" type="pint" indexed="true" stored="true" /> + <field name="cwd" type="string" indexed="true" stored="true" /> + <field name="passive" type="boolean" indexed="true" stored="true" /> + <field name="fuid" type="string" indexed="true" stored="true" /> + <!-- + * Files log support + * https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info + * + * Notable Fields + * Field: tx_hosts + * Notes: Metron rewrites this to "ip_src_addr" + * + * Field: rx_hosts + * Notes: Metron rewrites this to "ip_dst_addr" + * + * Field: mime_type + * Notes: Field exists in the FTP and Files logs + * + * Field: duration + * Notes: Field exists in the Conn and Files logs + * + * Field: local_orig + * Notes: Field exists in the Conn and Files logs + * + * Field: fuid + * Notes: Field exists in the FTP, Files, and Notice logs + --> + <field name="conn_uids" type="string" indexed="true" stored="true" /> + <field name="source" type="string" indexed="true" stored="true" /> + <field name="depth" type="pint" indexed="true" stored="true" /> + <field name="analyzers" type="string" indexed="true" stored="true" /> + <field name="filename" type="string" indexed="true" stored="true" /> + <field name="is_orig" type="boolean" indexed="true" stored="true" /> + <field name="seen_bytes" type="plong" indexed="true" stored="true" /> + <field name="total_bytes" type="plong" indexed="true" stored="true" /> + <field name="missing_bytes" type="plong" indexed="true" stored="true" /> + <field name="overflow_bytes" type="plong" indexed="true" stored="true" /> + <field name="timedout" type="boolean" indexed="true" stored="true" /> + <field name="parent_fuid" type="string" indexed="true" stored="true" /> + <field name="md5" type="string" indexed="true" stored="true" /> + <field name="sha1" type="string" indexed="true" stored="true" /> + <field name="sha256" type="string" indexed="true" stored="true" /> + <field name="extracted" type="string" indexed="true" stored="true" /> + <field name="extracted_cutoff" type="boolean" indexed="true" stored="true" /> + <field name="extracted_size" type="plong" indexed="true" stored="true" /> + + <!-- + * Known::CertInfo log support + * https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo + * + * Notable Fields + * Field: host + * Notes: Field exists in the HTTP, KnownCerts, and Software logs + * + * Field: subject + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs + --> + <field name="port_num" type="pint" indexed="true" stored="true" /> + <field name="subject" type="string" indexed="true" stored="true" /> + <field name="issuer_subject" type="string" indexed="true" stored="true" /> + <field name="serial" type="string" indexed="true" stored="true" /> + + <!-- + * SMTP log support + * https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info + * + * Notable Fields + * Field: trans_depth + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: date + * Notes: Field exists in the SMTP and SIP logs + * + * Field: subject + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs + * + * Field: reply_to + * Notes: Field exists in the SMTP and SIP logs + * + * Field: user_agent + * Notes: Field exists in the HTTP, SMTP, and SIP logs + --> + <field name="helo" type="string" indexed="true" stored="true" /> + <field name="mailfrom" type="string" indexed="true" stored="true" /> + <field name="rcptto" type="string" indexed="true" stored="true" /> + <field name="date" type="string" indexed="true" stored="true" /> + <field name="from" type="string" indexed="true" stored="true" /> + <field name="to" type="string" indexed="true" stored="true" /> + <field name="cc" type="string" indexed="true" stored="true" /> + <field name="reply_to" type="string" indexed="true" stored="true" /> + <field name="msg_id" type="string" indexed="true" stored="true" /> + <field name="in_reply_to" type="string" indexed="true" stored="true" /> + <field name="x_originating_ip" type="ip" indexed="true" stored="true" /> + <field name="first_received" type="string" indexed="true" stored="true" /> + <field name="second_received" type="string" indexed="true" stored="true" /> + <field name="last_reply" type="string" indexed="true" stored="true" /> + <field name="path" type="string" indexed="true" stored="true" /> + <field name="tls" type="boolean" indexed="true" stored="true" /> + <field name="fuids" type="string" indexed="true" stored="true" /> + <field name="is_webmail" type="boolean" indexed="true" stored="true" /> + + <!-- + * SSL log support + * https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info + * + * Notable Fields + * Field: version + * Notes: Field exists in the HTTP, SSL, and SSH logs + * + * Field: subject + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs + --> + <field name="cipher" type="string" indexed="true" stored="true" /> + <field name="curve" type="string" indexed="true" stored="true" /> + <field name="server_name" type="string" indexed="true" stored="true" /> + <field name="resumed" type="boolean" indexed="true" stored="true" /> + <field name="server_appdata" type="string" indexed="true" stored="true" /> + <field name="client_appdata" type="boolean" indexed="true" stored="true" /> + <field name="last_alert" type="string" indexed="true" stored="true" /> + <field name="next_protocol" type="string" indexed="true" stored="true" /> + <field name="established" type="boolean" indexed="true" stored="true" /> + <field name="cert_chain_fuids" type="string" indexed="true" stored="true" /> + <field name="client_cert_chain_fuids" type="string" indexed="true" stored="true" /> + <field name="issuer" type="string" indexed="true" stored="true" /> + <field name="client_subject" type="string" indexed="true" stored="true" /> + <field name="client_issuer" type="string" indexed="true" stored="true" /> + <field name="validation_status" type="string" indexed="true" stored="true" /> + <!-- + * Weird log support + * https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info + * + * Notable Fields + * Field: peer + * Notes: Field exists in the Weird, CaptureLoss, and Stats logs + * + * Field: name + * Notes: Field exists in the Weird and LoadedScripts logs + --> + <field name="name" type="string" indexed="true" stored="true" /> + <field name="addl" type="string" indexed="true" stored="true" /> + <field name="notice" type="boolean" indexed="true" stored="true" /> + <field name="peer" type="string" indexed="true" stored="true" /> + + <!-- + * Notice log support + * https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info + * + * Notable Fields + * Field: fuid + * Notes: Field exists in the FTP, Files, and Notice logs + * + * Field: proto + * Notes: Field exists in the DNS, Conn, DPD, and Notice logs + * + * Field: remote_location:country_code + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:region + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:city + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:latitude + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:longitude + * Notes: Field exists in the Notice and SSH logs + --> + <field name="file_mime_type" type="string" indexed="true" stored="true" /> + <field name="file_desc" type="string" indexed="true" stored="true" /> + <field name="note" type="string" indexed="true" stored="true" /> + <field name="msg" type="string" indexed="true" stored="true" /> + <field name="sub" type="string" indexed="true" stored="true" /> + <field name="src" type="ip" indexed="true" stored="true" /> + <field name="dst" type="ip" indexed="true" stored="true" /> + <field name="p" type="pint" indexed="true" stored="true" /> + <field name="n" type="pint" indexed="true" stored="true" /> + <field name="src_peer" type="ip" indexed="true" stored="true" /> + <field name="peer_descr" type="string" indexed="true" stored="true" /> + <field name="actions" type="string" indexed="true" stored="true" /> + <field name="suppress_for" type="pdouble" indexed="true" stored="true" /> + <field name="dropped" type="boolean" indexed="true" stored="true" /> + <field name="remote_location.country_code" type="string" indexed="true" stored="true" /> + <field name="remote_location.region" type="string" indexed="true" stored="true" /> + <field name="remote_location.city" type="string" indexed="true" stored="true" /> + <field name="remote_location.latitude" type="pdouble" indexed="true" stored="true" /> + <field name="remote_location.longitude" type="pdouble" indexed="true" stored="true" /> + + <!-- + * DHCP log support + * https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info + * + * Notable Fields + * Field: mac + * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs + * + * Field: trans_id + * Notes: Field exists in the DNS and DHCP logs + --> + <field name="mac" type="string" indexed="true" stored="true" /> + <field name="assigned_ip" type="ip" indexed="true" stored="true" /> + <field name="lease_time" type="pfloat" indexed="true" stored="true" /> + <!-- + * SSH log support + * https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info + * + * Notable Fields + * Field: version + * Notes: Field exists in the HTTP, SSL, and SSH logs + * + * Field: remote_location:country_code + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:region + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:city + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:latitude + * Notes: Field exists in the Notice and SSH logs + * + * Field: remote_location:longitude + * Notes: Field exists in the Notice and SSH logs + --> + <field name="auth_success" type="boolean" indexed="true" stored="true" /> + <field name="auth_attempts" type="pint" indexed="true" stored="true" /> + <field name="direction" type="string" indexed="true" stored="true" /> + <field name="client" type="string" indexed="true" stored="true" /> + <field name="server" type="string" indexed="true" stored="true" /> + <field name="cipher_alg" type="string" indexed="true" stored="true" /> + <field name="mac_alg" type="string" indexed="true" stored="true" /> + <field name="compression_alg" type="string" indexed="true" stored="true" /> + <field name="kex_alg" type="string" indexed="true" stored="true" /> + <field name="host_key_alg" type="string" indexed="true" stored="true" /> + <field name="host_key" type="string" indexed="true" stored="true" /> + + <!-- + * Software log support + * https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info + * + * Notable Fields + * Field: host + * Notes: Field exists in the HTTP, KnownCerts, and Software logs + --> + <field name="host_p" type="pint" indexed="true" stored="true" /> + <field name="software_type" type="string" indexed="true" stored="true" /> + <field name="version.major" type="string" indexed="true" stored="true" /> + <field name="version.minor" type="string" indexed="true" stored="true" /> + <field name="version.minor2" type="string" indexed="true" stored="true" /> + <field name="version.minor3" type="string" indexed="true" stored="true" /> + <field name="version.addl" type="string" indexed="true" stored="true" /> + <field name="unparsed_version" type="string" indexed="true" stored="true" /> + + <!-- + * RADIUS log support + * https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info + * + * Notable Fields + * Field: username + * Notes: Field exists in the HTTP and RADIUS logs + * + * Field: mac + * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs + * + * Field: ttl + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval + --> + <field name="framed_addr" type="ip" indexed="true" stored="true" /> + <field name="remote_ip" type="ip" indexed="true" stored="true" /> + <field name="connect_info" type="string" indexed="true" stored="true" /> + <field name="result" type="string" indexed="true" stored="true" /> + <field name="ttl" type="string" indexed="true" stored="true" /> + + <!-- + * X509 log support + * https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info + * + * Notable Fields + * Field: id + * Notes: In other bro records, the id field is of type conn_id, so it is + * expanded before being logged into 4 fields, all of which are addressed + * under the "Widely-used Bro fields" section of this template. In X509 + * logs, however, id is a keyword to identify the certificate file id. + --> + <field name="id" type="string" indexed="true" stored="true" /> + <field name="certificate.version" type="pint" indexed="true" stored="true" /> + <field name="certificate.serial" type="string" indexed="true" stored="true" /> + <field name="certificate.subject" type="string" indexed="true" stored="true" /> + <field name="certificate.issuer" type="string" indexed="true" stored="true" /> + <field name="certificate.not_valid_before" type="string" indexed="true" stored="true" /> + <field name="certificate.not_valid_after" type="string" indexed="true" stored="true" /> + <field name="certificate.key_alg" type="string" indexed="true" stored="true" /> + <field name="certificate.sig_alg" type="string" indexed="true" stored="true" /> + <field name="certificate.key_type" type="string" indexed="true" stored="true" /> + <field name="certificate.key_length" type="pint" indexed="true" stored="true" /> + <field name="certificate.exponent" type="string" indexed="true" stored="true" /> + <field name="certificate.curve" type="string" indexed="true" stored="true" /> + <field name="san.dns" type="string" indexed="true" stored="true" /> + <field name="san.uri" type="string" indexed="true" stored="true" /> + <field name="san.email" type="string" indexed="true" stored="true" /> + <field name="san.ip" type="string" indexed="true" stored="true" /> + <field name="basic_constraints.ca" type="boolean" indexed="true" stored="true" /> + <field name="basic_constraints.path_len" type="pint" indexed="true" stored="true" /> + + <!-- + * Known::DevicesInfo log support + * https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo + * + * Notable Fields + * Field: mac + * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs + --> + <field name="dhcp_host_name" type="string" indexed="true" stored="true" /> + <!-- + * RFB::Info log support + * https://www.bro.org/sphinx-git/scripts/base/protocols/rfb/main.bro.html#type-RFB::Info + --> + <field name="client_major_version" type="string" indexed="true" stored="true" /> + <field name="client_minor_version" type="string" indexed="true" stored="true" /> + <field name="server_major_version" type="string" indexed="true" stored="true" /> + <field name="server_minor_version" type="string" indexed="true" stored="true" /> + <field name="authentication_method" type="string" indexed="true" stored="true" /> + <field name="auth" type="boolean" indexed="true" stored="true" /> + <field name="share_flag" type="boolean" indexed="true" stored="true" /> + <field name="desktop_name" type="string" indexed="true" stored="true" /> + <field name="width" type="pint" indexed="true" stored="true" /> + <field name="height" type="pint" indexed="true" stored="true" /> + + <!-- + * Stats::Info log support + * https://www.bro.org/sphinx/scripts/policy/misc/stats.bro.html#type-Stats::Info + * + * Notable Fields + * Field: peer + * Notes: Field exists in the Weird, CaptureLoss, and Stats logs + * + * Field: pkt_lag + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval + --> + <field name="mem" type="pint" indexed="true" stored="true" /> + <field name="pkts_proc" type="pint" indexed="true" stored="true" /> + <field name="bytes_recv" type="pint" indexed="true" stored="true" /> + <field name="pkts_dropped" type="pint" indexed="true" stored="true" /> + <field name="pkts_link" type="pint" indexed="true" stored="true" /> + <field name="pkt_lag" type="string" indexed="true" stored="true" /> + <field name="events_proc" type="pint" indexed="true" stored="true" /> + <field name="events_queued" type="pint" indexed="true" stored="true" /> + <field name="active_tcp_conns" type="pint" indexed="true" stored="true" /> + <field name="active_udp_conns" type="pint" indexed="true" stored="true" /> + <field name="active_icmp_conns" type="pint" indexed="true" stored="true" /> + <field name="tcp_conns" type="pint" indexed="true" stored="true" /> + <field name="udp_conns" type="pint" indexed="true" stored="true" /> + <field name="icmp_conns" type="pint" indexed="true" stored="true" /> + <field name="timers" type="pint" indexed="true" stored="true" /> + <field name="active_timers" type="pint" indexed="true" stored="true" /> + <field name="files" type="pint" indexed="true" stored="true" /> + <field name="active_files" type="pint" indexed="true" stored="true" /> + <field name="dns_requests" type="pint" indexed="true" stored="true" /> + <field name="active_dns_requests" type="pint" indexed="true" stored="true" /> + <field name="reassem_tcp_size" type="pint" indexed="true" stored="true" /> + <field name="reassem_file_size" type="pint" indexed="true" stored="true" /> + <field name="reassem_frag_size" type="pint" indexed="true" stored="true" /> + <field name="reassem_unknown_size" type="pint" indexed="true" stored="true" /> + + <!-- + * CaptureLoss::Info log support + * https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info + * + * Notable Fields + * Field: ts_delta + * Notes: This field uses the "interval" type, which may need handled differently. + * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval + * + * Field: peer + * Notes: Field exists in the Weird, CaptureLoss, and Stats logs + --> + <field name="ts_delta" type="string" indexed="true" stored="true" /> + <field name="gaps" type="pint" indexed="true" stored="true" /> + <field name="acks" type="pint" indexed="true" stored="true" /> + <field name="percent_lost" type="pdouble" indexed="true" stored="true" /> + + <!-- + * Reporter::Info log support + * https://www.bro.org/sphinx/scripts/base/frameworks/reporter/main.bro.html#type-Reporter::Info + --> + <field name="level" type="string" indexed="true" stored="true" /> + <field name="message" type="string" indexed="true" stored="true" /> + <field name="location" type="string" indexed="true" stored="true" /> + + <!-- + * SIP::Info log support + * https://www.bro.org/sphinx/scripts/base/protocols/sip/main.bro.html#type-SIP::Info + * + * Notable Fields + * Field: trans_depth + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: method + * Notes: Field exists in the HTTP and SIP logs + * + * Field: uri + * Notes: Field exists in the HTTP and SIP logs + * + * Field: date + * Notes: Field exists in the SMTP and SIP logs + * + * Field: reply_to + * Notes: Field exists in the SMTP and SIP logs + * + * Field: subject + * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs + * + * Field: user_agent + * Notes: Field exists in the HTTP, SMTP, and SIP logs + * + * Field: status_code + * Notes: Field exists in the HTTP and SIP logs + * + * Field: status_msg + * Notes: Field exists in the HTTP and SIP logs + * + * Field: request_body_len + * Notes: Field exists in the HTTP and SIP logs + * + * Field: response_body_len + * Notes: Field exists in the HTTP and SIP logs + --> + <field name="request_from" type="string" indexed="true" stored="true" /> + <field name="request_to" type="string" indexed="true" stored="true" /> + <field name="response_from" type="string" indexed="true" stored="true" /> + <field name="response_to" type="string" indexed="true" stored="true" /> + <field name="call_id" type="string" indexed="true" stored="true" /> + <field name="seq" type="string" indexed="true" stored="true" /> + <field name="request_path" type="string" indexed="true" stored="true" /> + <field name="response_path" type="string" indexed="true" stored="true" /> + <field name="warning" type="string" indexed="true" stored="true" /> + <field name="content_type" type="string" indexed="true" stored="true" /> + + <!-- Geo Enrichment Fields --> + <dynamicField name="*.location_point" type="location" multiValued="false" docValues="false"/> + <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/> + + <!-- Performance Debugging Fields --> + <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/> + + <!-- Threat Intel Scoring Fields --> + <field name="is_alert" type="boolean" indexed="true" stored="true" /> + <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/> + + <!-- Catch all, if we don't know about it, it gets dropped. --> + <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> + + <!-- Type Definitions --> + <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> + <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/> + <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/> + <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/> + <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/> + <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> +</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/error/managed-schema ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/error/managed-schema b/metron-platform/metron-solr/src/main/config/schema/error/managed-schema deleted file mode 100644 index 0ed9a38..0000000 --- a/metron-platform/metron-solr/src/main/config/schema/error/managed-schema +++ /dev/null @@ -1,58 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" ?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<schema name="error_doc" version="1.6"> - <field name="_version_" type="plong" indexed="false" stored="false"/> - <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> - - <!-- The Exception Details--> - <field name="exception" type="string" indexed="true" stored="true" /> - <field name="hostname" type="string" indexed="true" stored="true" /> - <field name="stack" type="string" indexed="true" stored="true" /> - - <!-- The timestamp of when it happened --> - <field name="timestamp" type="timestamp" indexed="true" stored="true" /> - - <!-- The message in string form (this may be garbage if the message is a bytes rather than text --> - <field name="message" type="string" indexed="true" stored="true" /> - <field name="raw_message" type="string" indexed="true" stored="true" /> - <field name="raw_message_bytes" type="bytes" indexed="true" stored="true" /> - <field name="error_fields" type="string" indexed="true" stored="true" /> - <field name="error_hash" type="string" indexed="true" stored="true" /> - <field name="failed_sensor_type" type="string" indexed="true" stored="true" /> - <field name="error_type" type="string" indexed="true" stored="true" /> - - <!-- The GUID for the error --> - <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> - <uniqueKey>guid</uniqueKey> - - <!-- Catch all, if we don't know about it, it gets dropped. --> - <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> - - - <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> - <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/> - <fieldType name="bytes" stored="true" indexed="true" multiValued="false" class="solr.BinaryField" sortMissingLast="false"/> - <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/> - <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> -</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/error/schema.xml ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/error/schema.xml b/metron-platform/metron-solr/src/main/config/schema/error/schema.xml new file mode 100644 index 0000000..5f9f9a3 --- /dev/null +++ b/metron-platform/metron-solr/src/main/config/schema/error/schema.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="error_doc" version="1.6"> + <field name="_version_" type="plong" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> + + <!-- The Exception Details--> + <field name="exception" type="string" indexed="true" stored="true" /> + <field name="hostname" type="string" indexed="true" stored="true" /> + <field name="stack" type="string" indexed="true" stored="true" /> + + <!-- The timestamp of when it happened --> + <field name="timestamp" type="timestamp" indexed="true" stored="true" /> + + <!-- The message in string form (this may be garbage if the message is a bytes rather than text --> + <field name="message" type="string" indexed="true" stored="true" /> + <field name="raw_message" type="string" indexed="false" stored="true" /> + <field name="raw_message_bytes" type="bytes" indexed="false" stored="true" /> + <field name="error_fields" type="string" indexed="true" stored="true" /> + <field name="error_hash" type="string" indexed="true" stored="true" /> + <field name="failed_sensor_type" type="string" indexed="true" stored="true" /> + <field name="error_type" type="string" indexed="true" stored="true" /> + + <!-- The GUID for the error --> + <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> + <uniqueKey>guid</uniqueKey> + + <!-- Catch all, if we don't know about it, it gets dropped. --> + <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> + + + <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> + <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/> + <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/> + <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/> + <fieldType name="bytes" stored="true" indexed="true" multiValued="false" class="solr.BinaryField" sortMissingLast="false"/> + <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/> + <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> +</schema>
