Jon Zeolla created METRON-507:
---------------------------------
Summary: Elasticsearch is incorrectly indexing the Bro DNS
"answers" field
Key: METRON-507
URL: https://issues.apache.org/jira/browse/METRON-507
Project: Metron
Issue Type: Bug
Reporter: Jon Zeolla
Fix For: 0.2.2BETA
Currently the template provided to Elasticsearch for bro logs is assuming that
it will get an ip address in the answers field of a Bro DNS log, however that
is not always true. Depending on the type of record being received, the
contents could vary between IPs, domain names, or character strings. Various
RFCs outline this, however a good starting point is RFC 1035 section 3.3.
Example error:
[1]: index [bro_index_2016.10.18.12], type [bro_doc], id [xyz-abc], message
[MapperParsingException[failed to parse [answers]]; nested:
IllegalArgumentException[failed to parse ip [something.example.com], not a
valid ip address];]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
