Try now
On 10/18/16, 12:12 PM, "Jon Zeolla (JIRA)" <[email protected]> wrote: > > [ > https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586376#comment-15586376 > ] > >Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM: >------------------------------------------------------------- > >You [beat >me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) > to the PR. I'm still not sure how to assign issues (i.e. this, METRON-508, >etc.) to myself... > > >was (Author: [email protected]): >You [beat >me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) > to the PR. I was trying to figure out how to assign this and METRON-508 to >myself... > >> Elasticsearch is incorrectly indexing the Bro DNS "answers" field >> ----------------------------------------------------------------- >> >> Key: METRON-507 >> URL: https://issues.apache.org/jira/browse/METRON-507 >> Project: Metron >> Issue Type: Bug >> Reporter: Jon Zeolla >> Fix For: 0.2.2BETA >> >> Original Estimate: 10m >> Remaining Estimate: 10m >> >> Currently the template provided to Elasticsearch for bro logs is assuming >> that it will get an ip address in the answers field of a Bro DNS log, >> however that is not always true. Depending on the type of record being >> received, the contents could vary between IPs, domain names, or character >> strings. Various RFCs outline this, however a good starting point is RFC >> 1035 section 3.3. >> Example error: >> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message >> [MapperParsingException[failed to parse [answers]]; nested: >> IllegalArgumentException[failed to parse ip [something.example.com], not a >> valid ip address];] > > > >-- >This message was sent by Atlassian JIRA >(v6.3.4#6332) >
