[
https://issues.apache.org/jira/browse/METRON-293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367837#comment-15367837
]
Casey Stella commented on METRON-293:
-------------------------------------
Ok, I looked into this. The issue, I believe, is that we are providing default
elasticsearch templates for bro (and for most of the default sensors) and those
templates specify the ip_src_addr and ip_dst_addr fields as type ip. As you
can see from
[here|https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html],
IPv6 is not currently supported.
Not sure what to do about this as the default kibana dashboard, I suspect,
depends on those IPs being interpreted as IPs. Any fix has to preserve the
behavior in kibana as well, IMHO.
Thoughts?
> indexingBolt errors out for bro logs having IPV6 address
> --------------------------------------------------------
>
> Key: METRON-293
> URL: https://issues.apache.org/jira/browse/METRON-293
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.2.1BETA
> Reporter: Neha Sinha
> Priority: Minor
> Attachments: Screen Shot 2016-07-08 at 4.59.56 PM.png,
> bro_ipv6_address.rtf, enrichment_indexingBolt_error_stack_trace.rtf
>
>
> Hi,
> So i am injecting the following bro log that has IPV6 addresses :-
> {"http":
> {"ts":1467617777.886267,"uid":"CXkPNR186cdD0rqPi","id.orig_h":"2001:cdba:0:0:0:0:3257:9652","id.orig_p":49191,"id.resp_h":"2001:cdba:0:0:0:0:3257:9651","id.resp_p":80,"trans_depth":1,"method":"GET","host":"62.75.195.236","uri":"/?3a08b0be8322c244f5a1cb9c1057d941","user_agent":"Mozilla/4.0
> (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR
> 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
> 6.0)","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"OK","tags":[]}}
> The bro parser parses the above log all good but I happen to see error with
> the enrichment indexingBolt.
> Please find attached the stacktrace for enrichment indexing bolt and also the
> storm log captured for bro parser.
> Regards,
> Neha
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
