[ https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15586376#comment-15586376 ]
Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM: ------------------------------------------------------------- You [beat me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) to the PR. I'm still not sure how to assign issues (i.e. this, METRON-508, etc.) to myself... was (Author: zeo...@gmail.com): You [beat me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915) to the PR. I was trying to figure out how to assign this and METRON-508 to myself... > Elasticsearch is incorrectly indexing the Bro DNS "answers" field > ----------------------------------------------------------------- > > Key: METRON-507 > URL: https://issues.apache.org/jira/browse/METRON-507 > Project: Metron > Issue Type: Bug > Reporter: Jon Zeolla > Fix For: 0.2.2BETA > > Original Estimate: 10m > Remaining Estimate: 10m > > Currently the template provided to Elasticsearch for bro logs is assuming > that it will get an ip address in the answers field of a Bro DNS log, however > that is not always true. Depending on the type of record being received, the > contents could vary between IPs, domain names, or character strings. Various > RFCs outline this, however a good starting point is RFC 1035 section 3.3. > Example error: > [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message > [MapperParsingException[failed to parse [answers]]; nested: > IllegalArgumentException[failed to parse ip [something.example.com], not a > valid ip address];] -- This message was sent by Atlassian JIRA (v6.3.4#6332)