[
https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586298#comment-15586298
]
Nick Allen commented on METRON-507:
-----------------------------------
https://github.com/apache/incubator-metron/pull/305
I think this addresses the problem.
> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
> -----------------------------------------------------------------
>
> Key: METRON-507
> URL: https://issues.apache.org/jira/browse/METRON-507
> Project: Metron
> Issue Type: Bug
> Reporter: Jon Zeolla
> Fix For: 0.2.2BETA
>
> Original Estimate: 10m
> Remaining Estimate: 10m
>
> Currently the template provided to Elasticsearch for bro logs is assuming
> that it will get an ip address in the answers field of a Bro DNS log, however
> that is not always true. Depending on the type of record being received, the
> contents could vary between IPs, domain names, or character strings. Various
> RFCs outline this, however a good starting point is RFC 1035 section 3.3.
> Example error:
> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message
> [MapperParsingException[failed to parse [answers]]; nested:
> IllegalArgumentException[failed to parse ip [something.example.com], not a
> valid ip address];]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
