Re: [jira] [Comment Edited] (METRON-507) Elasticsearch is incorrectly indexing the Bro DNS "answers" field

2016-10-18 Thread zeo...@gmail.com 
Thanks James, now I can self-assign.  I will close 507 and work on 508
soon.  Thanks,

Jon

On Tue, Oct 18, 2016 at 3:15 PM James Sirota 
wrote:

> Try now
>
>
>
>
> On 10/18/16, 12:12 PM, "Jon Zeolla (JIRA)"  wrote:
>
> >
> >[
> https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15586376#comment-15586376
> ]
> >
> >Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM:
> >-
> >
> >You [beat me](
> https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
> to the PR.  I'm still not sure how to assign issues (i.e. this, METRON-508,
> etc.) to myself...
> >
> >
> >was (Author: zeo...@gmail.com):
> >You [beat me](
> https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
> to the PR.  I was trying to figure out how to assign this and METRON-508 to
> myself...
> >
> >> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
> >> -
> >>
> >> Key: METRON-507
> >> URL: https://issues.apache.org/jira/browse/METRON-507
> >> Project: Metron
> >>  Issue Type: Bug
> >>Reporter: Jon Zeolla
> >> Fix For: 0.2.2BETA
> >>
> >>   Original Estimate: 10m
> >>  Remaining Estimate: 10m
> >>
> >> Currently the template provided to Elasticsearch for bro logs is
> assuming that it will get an ip address in the answers field of a Bro DNS
> log, however that is not always true.  Depending on the type of record
> being received, the contents could vary between IPs, domain names, or
> character strings.  Various RFCs outline this, however a good starting
> point is RFC 1035 section 3.3.
> >> Example error:
> >> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc],
> message [MapperParsingException[failed to parse [answers]]; nested:
> IllegalArgumentException[failed to parse ip [something.example.com], not
> a valid ip address];]
> >
> >
> >
> >--
> >This message was sent by Atlassian JIRA
> >(v6.3.4#6332)
> >
>
-- 

Jon

Re: [jira] [Comment Edited] (METRON-507) Elasticsearch is incorrectly indexing the Bro DNS "answers" field

2016-10-18 Thread James Sirota 
Try now




On 10/18/16, 12:12 PM, "Jon Zeolla (JIRA)"  wrote:

>
>[ 
> https://issues.apache.org/jira/browse/METRON-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15586376#comment-15586376
>  ] 
>
>Jon Zeolla edited comment on METRON-507 at 10/18/16 7:12 PM:
>-
>
>You [beat 
>me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
> to the PR.  I'm still not sure how to assign issues (i.e. this, METRON-508, 
>etc.) to myself...
>
>
>was (Author: zeo...@gmail.com):
>You [beat 
>me](https://github.com/JonZeolla/incubator-metron/commit/956169c3da99a1379761e82f810f55fd5f16d915)
> to the PR.  I was trying to figure out how to assign this and METRON-508 to 
>myself...
>
>> Elasticsearch is incorrectly indexing the Bro DNS "answers" field
>> -
>>
>> Key: METRON-507
>> URL: https://issues.apache.org/jira/browse/METRON-507
>> Project: Metron
>>  Issue Type: Bug
>>Reporter: Jon Zeolla
>> Fix For: 0.2.2BETA
>>
>>   Original Estimate: 10m
>>  Remaining Estimate: 10m
>>
>> Currently the template provided to Elasticsearch for bro logs is assuming 
>> that it will get an ip address in the answers field of a Bro DNS log, 
>> however that is not always true.  Depending on the type of record being 
>> received, the contents could vary between IPs, domain names, or character 
>> strings.  Various RFCs outline this, however a good starting point is RFC 
>> 1035 section 3.3.  
>> Example error:
>> [1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message 
>> [MapperParsingException[failed to parse [answers]]; nested: 
>> IllegalArgumentException[failed to parse ip [something.example.com], not a 
>> valid ip address];]
>
>
>
>--
>This message was sent by Atlassian JIRA
>(v6.3.4#6332)
>