[jira] [Commented] (METRON-508) Expand Elasticsearch templates to support the standard bro logs

Tue, 20 Jun 2017 10:23:27 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16056122#comment-16056122
 ] 

ASF GitHub Bot commented on METRON-508:
---------------------------------------

Github user JonZeolla commented on a diff in the pull request:

    https://github.com/apache/metron/pull/586#discussion_r123040458
  
    --- Diff: 
metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
 ---
    @@ -238,6 +238,538 @@
             "qtype_name": {
               "type": "string",
               "index": "not_analyzed"
    +        },
    +        "analyzer": {
    +          "type": "string",
    +          "index": "not_analyzed"
    +        },
    +        "failure_reason": {
    --- End diff --
    
    Right, I considered both options, and implemented option 2 at one point, 
but I removed the comments because of the field name collisions (i.e. two 
separate bro logs with an overlapping field name).  While reading through the 
template, it was confusing that a given section wouldn't contain all of the 
fields for a specific log, because they were addressed earlier in the template 
under another log's section.
    
    I would prefer to merge this in as-is, and address the collision problem 
separately (at least, that was my intent).  The first true solution that comes 
to mind is to put the individual bro logs into distinct indexes, but then we 
would need to change anywhere in Metron that touches bro data.  I would prefer 
to do that after METRON-939 (#619), if it gets merged.


> Expand Elasticsearch templates to support the standard bro logs
> ---------------------------------------------------------------
>
>                 Key: METRON-508
>                 URL: https://issues.apache.org/jira/browse/METRON-508
>             Project: Metron
>          Issue Type: Sub-task
>            Reporter: Jon Zeolla
>            Assignee: Jon Zeolla
>            Priority: Minor
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> The current elasticsearch templates do not support any logs other than Conn, 
> HTTP, and DNS.  We should provide additional templates so that an 
> out-of-the-box bro install can send all of its logs into Metron and they will 
> get probably indexed in elasticsearch.  



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to