[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/844 Okay, so I spun up master, pushed my template via `curl`, and then ran the above commands to confirm backward compatibility with the template on bro 2.4.x. The only change to my steps that I had to make was to remove the new `RFB::LOG, Stats::LOG, CaptureLoss::LOG, SIP::LOG` logs from `logs_to_send`, but that was expected and I encountered no other issues. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/844 [METRON-1322](https://issues.apache.org/jira/browse/METRON-1322) for your PCAP feature request. Also, I totally agree with your documentation notes. Cleaning this up has been on my to-do list for a while. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 Documentation that cannot be found doesn't exist, people who aren't devs aren't going to look in the deployment code ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 That is fine. We should surface them regardless at some point. Burying them in the deployment is not ideal. How they index is an important part of any parser's base functionality. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/844 Thanks @ottobackwards While I feel like the ES template documentation is good enough for now, I really want to investigate something cleaner, probably via 777 but also potentially by splitting up indexes as discussed in [METRON-1010](https://issues.apache.org/jira/browse/METRON-1010?filter=-2). ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 I am +1 pending travis. Reviewed code Ran build and tests ( after fix*) Followed test instructions. Great work @JonZeolla ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 The documentation in the template is nice. After 777, when each parser has a readme, this documentation of the index fields should be in the bro readme. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 Is there some way to document these PCAPS? Could we have a script that does what you do here just checked in? I think this would be useful. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 Ran tests as described, everything worked according to steps. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/844 There is no requirement to upgrade bro with this change. All old fields and logs are still supported, this simply adds support for the new fields in existing logs or new logs altogether to be supported. You may notice that I removed capture password, as it is an internal field and never exposed to logs. It should not have been in there in the first place. ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/844 Are there any consequences for users with external, existing and older bro installations? Will they have to upgrade bro if they take this build? ---
[GitHub] metron issue #844: METRON-1088: Upgrade bro to 2.5.2
Github user JonZeolla commented on the issue: https://github.com/apache/metron/pull/844 I'm going to see if I can find some time today to fix the tests, but this is ready for review otherwise. Full-dev worked as expected for me. ---