[jira] [Commented] (METRON-1010) Reorganize the bro elasticsearch template

Mon, 03 Jul 2017 12:58:19 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16072868#comment-16072868
 ] 

Jon Zeolla commented on METRON-1010:
------------------------------------

Yeah, that is another option, but I feel like it could be pretty confusing 
because of the merging/effective template.  I could be convinced that people 
using Metron who haven't been exposed to ES in the past could be reasonably 
informed about how this works, but it still leaves us with the limitation of my 
original option 1.

> Reorganize the bro elasticsearch template
> -----------------------------------------
>
>                 Key: METRON-1010
>                 URL: https://issues.apache.org/jira/browse/METRON-1010
>             Project: Metron
>          Issue Type: Improvement
>    Affects Versions: Next + 1
>            Reporter: Jon Zeolla
>
> Right now, updates to the bro indexing template for ElasticsSearch are 
> somewhat confusing due to field name collisions across distinct bro logs.  I 
> see two possible approaches to make this simpler:
> *Option 1* - One template, with duplication, but still one bro index.
> We duplicate the field definitions under each log type's section 
> (distinguished by comments) to make it easier to add/remove bro log support 
> to the template, and makes ripping logs out into distinct indexes in the 
> future easier.
> Pros:  Doesn't require much refactoring of Metron because all bro logs are 
> still in the same place that they used to be, review of one bro log's 
> indexing details is more intuitive.
> Cons:  Changes to a field should be reflected everywhere that field exists in 
> the template.
> *Option 2* - Multiple templates, multiple bro indexes.
> Configure Metron to send each individual bro log into distinct indexes.  We 
> could continue to use the bro- preface, but we would still need to fix 
> dashboards, saved queries, etc.
> Pros:  1:1 mapping of a distinct field to an ES type, so type is always 
> accurate (unlike what we have currently, for details see 
> https://github.com/apache/metron/pull/586/files#diff-262becd0bb95e0520c42c30a857a343eR131).
> Cons:  Overall complexity of change.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to