Jon Zeolla created METRON-507:

             Summary: Elasticsearch is incorrectly indexing the Bro DNS 
"answers" field
                 Key: METRON-507
             Project: Metron
          Issue Type: Bug
            Reporter: Jon Zeolla
             Fix For: 0.2.2BETA

Currently the template provided to Elasticsearch for bro logs is assuming that 
it will get an ip address in the answers field of a Bro DNS log, however that 
is not always true.  Depending on the type of record being received, the 
contents could vary between IPs, domain names, or character strings.  Various 
RFCs outline this, however a good starting point is RFC 1035 section 3.3.  

Example error:
[1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message 
[MapperParsingException[failed to parse [answers]]; nested: 
IllegalArgumentException[failed to parse ip [], not a 
valid ip address];]

This message was sent by Atlassian JIRA

Reply via email to