Github user simonellistonball commented on the issue:
https://github.com/apache/incubator-metron/pull/531
As an alternative method for getting DHCP data out of pcap, you might
consider the existing Bro sensor, which essentially does what dhcpdump does,
but for a wider range of protocols, in a more sophisticated way. We also
already have a built in parser.
That said it would great to have this parser too for people not looking for
the full range of bro.
The multi-line aspect may not be an issue. The boundary for Metron is the
Kafka message, not really the line, so if you can split the log into multi-line
chunks prior to kafka, potentially with something like NiFi based on a
delimiter. The way to do this is to use nifi to insert a true delimiter (not
end of line) and then use the SplitContent to send individual log entries via
kafka. It's a little heavy, but solves the multi-line problem as long as you're
not going to crazy levels of throughput e.g. hundreds of thousands of EPS.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
