yep, i will jira all the ones i emailed today, should be four.
________________________________ From: Otto Fowler <[email protected]> Sent: Tuesday, October 17, 2017 1:17 PM To: [email protected]; ed d Subject: Re: Sourcefire logs not being parsed due to "Unable to find SID in message" Would it be possible for you to create a jira, which included the ‘raw’ data ( anonymized )? If this is a problem that we need to fix, it would be good to have a test case for the code etc to prove it. On October 17, 2017 at 13:04:29, ed d ([email protected]<mailto:[email protected]>) wrote: sorry, here is the snippet: 2017-09-25 19:57:22.402 o.a.m.p.s.BasicSourcefireParser [WARN] Unable to find SID in message: ________________________________ From: ed d <[email protected]<mailto:[email protected]>> Sent: Tuesday, October 17, 2017 12:59 PM To: [email protected]<mailto:[email protected]> Subject: Sourcefire logs not being parsed due to "Unable to find SID in message" Apache metron 0.4.1, git cloned. Not sure the version of Sourcefire. Some logs are not being processed by Storm and the error message is "o.a.m.p.s.BasicSourcefireParser [WARN] Unable to find SID in message:". Do all Sourcefire log messages have to have the keyword "SID" in them, or the equivalent? If they dont, how do we get them processed anyway?
