http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/metaalert/managed-schema ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/metaalert/managed-schema b/metron-platform/metron-solr/src/main/config/schema/metaalert/managed-schema deleted file mode 100644 index 2138a92..0000000 --- a/metron-platform/metron-solr/src/main/config/schema/metaalert/managed-schema +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" ?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<schema name="metaalert_doc" version="1.6"> - <field name="_version_" type="plong" indexed="false" stored="false"/> - <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> - <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> - <field name="score" type="string" indexed="true" stored="true" /> - <field name="status" type="string" indexed="true" stored="true" /> - <field name="timestamp" type="timestamp" indexed="true" stored="true" /> - <field name="source.type" type="string" indexed="true" stored="true" /> - <dynamicField name="alert.*" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> - <uniqueKey>guid</uniqueKey> - <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> - <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/> - <fieldType name="bytes" stored="true" indexed="true" multiValued="false" class="solr.BinaryField" sortMissingLast="false" docValues="true"/> - <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/> - <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> -</schema>
http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml b/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml new file mode 100644 index 0000000..e36c71e --- /dev/null +++ b/metron-platform/metron-solr/src/main/config/schema/metaalert/schema.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="metaalert_doc" version="1.6"> + <field name="_version_" type="plong" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> + <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> + <field name="score" type="string" indexed="true" stored="true" /> + <field name="status" type="string" indexed="true" stored="true" /> + <field name="timestamp" type="timestamp" indexed="true" stored="true" /> + <field name="source.type" type="string" indexed="true" stored="true" /> + <dynamicField name="alert.*" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> + <uniqueKey>guid</uniqueKey> + <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> + <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/> + <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/> + <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/> + <fieldType name="bytes" stored="true" indexed="true" multiValued="false" class="solr.BinaryField" sortMissingLast="false" docValues="true"/> + <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/> + <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> +</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/snort/managed-schema ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/snort/managed-schema b/metron-platform/metron-solr/src/main/config/schema/snort/managed-schema deleted file mode 100644 index 2cdf3ab..0000000 --- a/metron-platform/metron-solr/src/main/config/schema/snort/managed-schema +++ /dev/null @@ -1,86 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" ?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<schema name="snort_doc" version="1.6"> - <field name="_version_" type="plong" indexed="false" stored="false"/> - <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> - - <!-- Metron specific fields --> - <field name="timestamp" type="timestamp" indexed="true" stored="true" /> - <field name="source.type" type="string" indexed="true" stored="true" /> - <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> - <uniqueKey>guid</uniqueKey> - - <!-- Source/Destination information --> - <field name="ip_dst_addr" type="ip" indexed="true" stored="true" /> - <field name="ip_dst_port" type="pint" indexed="true" stored="true" /> - <field name="ip_src_addr" type="ip" indexed="true" stored="true" /> - <field name="ip_src_port" type="pint" indexed="true" stored="true" /> - - <!-- Snort specific fields --> - <field name="dgmlen" type="pint" indexed="true" stored="true" /> - <field name="ethdst" type="string" indexed="true" stored="true" /> - <field name="ethlen" type="string" indexed="true" stored="true" /> - <field name="ethsrc" type="string" indexed="true" stored="true" /> - <field name="id" type="pint" indexed="true" stored="true" /> - <field name="iplen" type="pint" indexed="true" stored="true" /> - <field name="msg" type="string" indexed="true" stored="true" /> - <field name="protocol" type="string" indexed="true" stored="true" /> - <field name="sig_generator" type="string" indexed="true" stored="true" /> - <field name="sig_id" type="pint" indexed="true" stored="true" /> - <field name="sig_rev" type="string" indexed="true" stored="true" /> - <field name="tcpack" type="string" indexed="true" stored="true" /> - <field name="tcpflags" type="string" indexed="true" stored="true" /> - <field name="tcpseq" type="string" indexed="true" stored="true" /> - <field name="tcpwindow" type="string" indexed="true" stored="true" /> - <field name="tos" type="pint" indexed="true" stored="true" /> - <field name="ttl" type="pint" indexed="true" stored="true" /> - - <!-- Geo Enrichment Fields --> - <dynamicField name="*.location_point" type="location" multiValued="false" docValues="true"/> - <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/> - - <!-- Performance Debugging Fields --> - <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/> - - <!-- Threat Intel Scoring Fields --> - <field name="is_alert" type="boolean" indexed="true" stored="true" /> - <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/> - - <!-- Catch all, if we don't know about it, it gets dropped. --> - <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> - - <!-- Type Definitions --> - <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> - <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/> - <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/> - <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> -</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml b/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml new file mode 100644 index 0000000..ae13b8d --- /dev/null +++ b/metron-platform/metron-solr/src/main/config/schema/snort/schema.xml @@ -0,0 +1,86 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="snort_doc" version="1.6"> + <field name="_version_" type="plong" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> + + <!-- Metron specific fields --> + <field name="timestamp" type="timestamp" indexed="true" stored="true" /> + <field name="source.type" type="string" indexed="true" stored="true" /> + <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> + <uniqueKey>guid</uniqueKey> + + <!-- Source/Destination information --> + <field name="ip_dst_addr" type="ip" indexed="true" stored="true" /> + <field name="ip_dst_port" type="pint" indexed="true" stored="true" /> + <field name="ip_src_addr" type="ip" indexed="true" stored="true" /> + <field name="ip_src_port" type="pint" indexed="true" stored="true" /> + + <!-- Snort specific fields --> + <field name="dgmlen" type="pint" indexed="true" stored="true" /> + <field name="ethdst" type="string" indexed="true" stored="true" /> + <field name="ethlen" type="string" indexed="true" stored="true" /> + <field name="ethsrc" type="string" indexed="true" stored="true" /> + <field name="id" type="pint" indexed="true" stored="true" /> + <field name="iplen" type="pint" indexed="true" stored="true" /> + <field name="msg" type="string" indexed="true" stored="true" /> + <field name="protocol" type="string" indexed="true" stored="true" /> + <field name="sig_generator" type="string" indexed="true" stored="true" /> + <field name="sig_id" type="pint" indexed="true" stored="true" /> + <field name="sig_rev" type="string" indexed="true" stored="true" /> + <field name="tcpack" type="string" indexed="true" stored="true" /> + <field name="tcpflags" type="string" indexed="true" stored="true" /> + <field name="tcpseq" type="string" indexed="true" stored="true" /> + <field name="tcpwindow" type="string" indexed="true" stored="true" /> + <field name="tos" type="pint" indexed="true" stored="true" /> + <field name="ttl" type="pint" indexed="true" stored="true" /> + + <!-- Geo Enrichment Fields --> + <dynamicField name="*.location_point" type="location" multiValued="false" docValues="false"/> + <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/> + + <!-- Performance Debugging Fields --> + <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/> + + <!-- Threat Intel Scoring Fields --> + <field name="is_alert" type="boolean" indexed="true" stored="true" /> + <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/> + + <!-- Catch all, if we don't know about it, it gets dropped. --> + <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> + + <!-- Type Definitions --> + <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> + <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/> + <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/> + <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/> + <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/> + <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> +</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/yaf/managed-schema ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/yaf/managed-schema b/metron-platform/metron-solr/src/main/config/schema/yaf/managed-schema deleted file mode 100644 index edf80da..0000000 --- a/metron-platform/metron-solr/src/main/config/schema/yaf/managed-schema +++ /dev/null @@ -1,92 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" ?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<schema name="yaf_doc" version="1.6"> - <field name="_version_" type="plong" indexed="false" stored="false"/> - <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> - - <!-- Metron specific fields --> - <field name="timestamp" type="timestamp" indexed="true" stored="true" /> - <field name="source.type" type="string" indexed="true" stored="true" /> - <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> - <uniqueKey>guid</uniqueKey> - - <!-- Source/Destination information --> - <field name="ip_dst_addr" type="ip" indexed="true" stored="true" /> - <field name="ip_dst_port" type="pint" indexed="true" stored="true" /> - <field name="ip_src_addr" type="ip" indexed="true" stored="true" /> - <field name="ip_src_port" type="pint" indexed="true" stored="true" /> - - <!-- Yaf specific fields --> - <field name="start_time" type="timestamp" indexed="true" stored="true" /> - <field name="end_time" type="timestamp" indexed="true" stored="true" /> - <field name="duration" type="pdouble" indexed="true" stored="true" /> - <field name="rtt" type="pdouble" indexed="true" stored="true" /> - <field name="proto" type="string" indexed="true" stored="true" /> - <field name="sip" type="string" indexed="true" stored="true" /> - <field name="sp" type="string" indexed="true" stored="true" /> - <field name="dip" type="string" indexed="true" stored="true" /> - <field name="dp" type="string" indexed="true" stored="true" /> - <field name="iflags" type="string" indexed="true" stored="true" /> - <field name="uflags" type="string" indexed="true" stored="true" /> - <field name="riflags" type="string" indexed="true" stored="true" /> - <field name="ruflags" type="string" indexed="true" stored="true" /> - <field name="isn" type="string" indexed="true" stored="true" /> - <field name="risn" type="string" indexed="true" stored="true" /> - <field name="tag" type="string" indexed="true" stored="true" /> - <field name="rtag" type="string" indexed="true" stored="true" /> - <field name="pkt" type="pint" indexed="true" stored="true" /> - <field name="oct" type="pint" indexed="true" stored="true" /> - <field name="rpkt" type="pint" indexed="true" stored="true" /> - <field name="roct" type="pint" indexed="true" stored="true" /> - <field name="app" type="string" indexed="true" stored="true" /> - <field name="end-reason" type="string" indexed="true" stored="true" /> - - <!-- Geo Enrichment Fields --> - <dynamicField name="*.location_point" type="location" multiValued="false" docValues="true"/> - <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/> - - <!-- Performance Debugging Fields --> - <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/> - - <!-- Threat Intel Scoring Fields --> - <field name="is_alert" type="boolean" indexed="true" stored="true" /> - <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> - <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/> - <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/> - - <!-- Catch all, if we don't know about it, it gets dropped. --> - <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> - - <!-- Type Definitions --> - <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> - <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/> - <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/> - <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> - <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/> - <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> -</schema> http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml ---------------------------------------------------------------------- diff --git a/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml b/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml new file mode 100644 index 0000000..edccd9d --- /dev/null +++ b/metron-platform/metron-solr/src/main/config/schema/yaf/schema.xml @@ -0,0 +1,92 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<schema name="yaf_doc" version="1.6"> + <field name="_version_" type="plong" indexed="true" stored="true"/> + <field name="_root_" type="string" indexed="true" stored="false" docValues="false" /> + + <!-- Metron specific fields --> + <field name="timestamp" type="timestamp" indexed="true" stored="true" /> + <field name="source.type" type="string" indexed="true" stored="true" /> + <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" /> + <uniqueKey>guid</uniqueKey> + + <!-- Source/Destination information --> + <field name="ip_dst_addr" type="ip" indexed="true" stored="true" /> + <field name="ip_dst_port" type="pint" indexed="true" stored="true" /> + <field name="ip_src_addr" type="ip" indexed="true" stored="true" /> + <field name="ip_src_port" type="pint" indexed="true" stored="true" /> + + <!-- Yaf specific fields --> + <field name="start_time" type="timestamp" indexed="true" stored="true" /> + <field name="end_time" type="timestamp" indexed="true" stored="true" /> + <field name="duration" type="pdouble" indexed="true" stored="true" /> + <field name="rtt" type="pdouble" indexed="true" stored="true" /> + <field name="proto" type="string" indexed="true" stored="true" /> + <field name="sip" type="string" indexed="true" stored="true" /> + <field name="sp" type="string" indexed="true" stored="true" /> + <field name="dip" type="string" indexed="true" stored="true" /> + <field name="dp" type="string" indexed="true" stored="true" /> + <field name="iflags" type="string" indexed="true" stored="true" /> + <field name="uflags" type="string" indexed="true" stored="true" /> + <field name="riflags" type="string" indexed="true" stored="true" /> + <field name="ruflags" type="string" indexed="true" stored="true" /> + <field name="isn" type="string" indexed="true" stored="true" /> + <field name="risn" type="string" indexed="true" stored="true" /> + <field name="tag" type="string" indexed="true" stored="true" /> + <field name="rtag" type="string" indexed="true" stored="true" /> + <field name="pkt" type="pint" indexed="true" stored="true" /> + <field name="oct" type="pint" indexed="true" stored="true" /> + <field name="rpkt" type="pint" indexed="true" stored="true" /> + <field name="roct" type="pint" indexed="true" stored="true" /> + <field name="app" type="string" indexed="true" stored="true" /> + <field name="end-reason" type="string" indexed="true" stored="true" /> + + <!-- Geo Enrichment Fields --> + <dynamicField name="*.location_point" type="location" multiValued="false" docValues="false"/> + <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/> + + <!-- Performance Debugging Fields --> + <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/> + + <!-- Threat Intel Scoring Fields --> + <field name="is_alert" type="boolean" indexed="true" stored="true" /> + <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/> + <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/> + <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/> + + <!-- Catch all, if we don't know about it, it gets dropped. --> + <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/> + + <!-- Type Definitions --> + <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/> + <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/> + <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/> + <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/> + <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/> + <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/> + <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/> + <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/> +</schema>
