[
https://issues.apache.org/jira/browse/METRON-293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368084#comment-15368084
]
Nick Allen commented on METRON-293:
-----------------------------------
I definitely agree that an IPv6 address would not be allowed with the current
index templates we have in place.
Treating `ip_src_addr` and `ip_dst_addr` as an Elasticsearch `IP` type
definitely makes life easier in Kibana. It allows me to search for specific
subnets using CIDR notation. This allows me, among many other things, to
distinguish between what is 'internal' versus 'external'.
> indexingBolt errors out for bro logs having IPV6 address
> --------------------------------------------------------
>
> Key: METRON-293
> URL: https://issues.apache.org/jira/browse/METRON-293
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.2.1BETA
> Reporter: Neha Sinha
> Priority: Minor
> Attachments: Screen Shot 2016-07-08 at 4.59.56 PM.png,
> bro_ipv6_address.rtf, enrichment_indexingBolt_error_stack_trace.rtf
>
>
> Hi,
> So i am injecting the following bro log that has IPV6 addresses :-
> {"http":
> {"ts":1467617777.886267,"uid":"CXkPNR186cdD0rqPi","id.orig_h":"2001:cdba:0:0:0:0:3257:9652","id.orig_p":49191,"id.resp_h":"2001:cdba:0:0:0:0:3257:9651","id.resp_p":80,"trans_depth":1,"method":"GET","host":"62.75.195.236","uri":"/?3a08b0be8322c244f5a1cb9c1057d941","user_agent":"Mozilla/4.0
> (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR
> 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
> 6.0)","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"OK","tags":[]}}
> The bro parser parses the above log all good but I happen to see error with
> the enrichment indexingBolt.
> Please find attached the stacktrace for enrichment indexing bolt and also the
> storm log captured for bro parser.
> Regards,
> Neha
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
