Jon Zeolla commented on METRON-507:

Per Nick's comment this is a duplicate of METRON-403.

> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
> -----------------------------------------------------------------
>                 Key: METRON-507
>                 URL: https://issues.apache.org/jira/browse/METRON-507
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Jon Zeolla
>             Fix For: 0.2.2BETA
>   Original Estimate: 10m
>  Remaining Estimate: 10m
> Currently the template provided to Elasticsearch for bro logs is assuming 
> that it will get an ip address in the answers field of a Bro DNS log, however 
> that is not always true.  Depending on the type of record being received, the 
> contents could vary between IPs, domain names, or character strings.  Various 
> RFCs outline this, however a good starting point is RFC 1035 section 3.3.  
> Example error:
> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message 
> [MapperParsingException[failed to parse [answers]]; nested: 
> IllegalArgumentException[failed to parse ip [something.example.com], not a 
> valid ip address];]

This message was sent by Atlassian JIRA

Reply via email to