[
https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586376#comment-15586376
]
Jon Zeolla commented on METRON-507:
-----------------------------------
You [beat
me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
to the PR. I was trying to figure out how to assign this and METRON-508 to
myself...
> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
> -----------------------------------------------------------------
>
> Key: METRON-507
> URL: https://issues.apache.org/jira/browse/METRON-507
> Project: Metron
> Issue Type: Bug
> Reporter: Jon Zeolla
> Fix For: 0.2.2BETA
>
> Original Estimate: 10m
> Remaining Estimate: 10m
>
> Currently the template provided to Elasticsearch for bro logs is assuming
> that it will get an ip address in the answers field of a Bro DNS log, however
> that is not always true. Depending on the type of record being received, the
> contents could vary between IPs, domain names, or character strings. Various
> RFCs outline this, however a good starting point is RFC 1035 section 3.3.
> Example error:
> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message
> [MapperParsingException[failed to parse [answers]]; nested:
> IllegalArgumentException[failed to parse ip [something.example.com], not a
> valid ip address];]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
