[METRON-293] indexingBolt errors out for bro logs having IPV6 address or FQDNs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Done
Priority: Minor
Resolution: Done
Affects Version/s: 0.2.1BETA
Fix Version/s: None
Labels:
None

Description

Hi,
So i am injecting the following bro log that has IPV6 addresses :-
{"http": {"ts":1467617777.886267,"uid":"CXkPNR186cdD0rqPi","id.orig_h":"2001:cdba:0:0:0:0:3257:9652","id.orig_p":49191,"id.resp_h":"2001:cdba:0:0:0:0:3257:9651","id.resp_p":80,"trans_depth":1,"method":"GET","host":"62.75.195.236","uri":"/?3a08b0be8322c244f5a1cb9c1057d941","user_agent":"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"OK","tags":[]}}

The bro parser parses the above log all good but I happen to see error with the enrichment indexingBolt.
Please find attached the stacktrace for enrichment indexing bolt and also the storm log captured for bro parser.

Regards,
Neha

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

day1.pcap.gz
18/Aug/16 11:13
2.75 MB
Anand Subramanian
Screen Shot 2016-07-08 at 4.59.56 PM.png
08/Jul/16 11:30
937 kB
Neha Sinha
bro_ipv6_address.rtf
08/Jul/16 11:26
11 kB
Neha Sinha
enrichment_indexingBolt_error_stack_trace.rtf
08/Jul/16 11:26
4 kB
Neha Sinha

Issue Links

is related to

METRON-403 Bro elasticsearch bulk index item fails when DNS response includes CNAME

Done

Activity

People

Assignee:: Nick Allen

Reporter:: Neha Sinha

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 08/Jul/16 11:22

Updated:: 11/Dec/18 20:31

Resolved:: 11/Dec/18 20:31