[Bro] 答复: logs-to-elasticsearch.bro error

mz mz89924 at 126.com
Sat Mar 26 19:18:31 PDT 2016 

HI

         I installed the patch you provide, and the emergence of new
error.By the way: I did not find this file krb-main bro source and
elasticsearch plugins source code, so krb-main.patch I did not install the
patch

         

[2016-03-27 10:06:31,295][DEBUG][action.bulk              ] [node-1]
[mzh-201603190900][0] failed to execute bulk item (index) index
{[mzh-201603190900][http][AVO10phhcNJqDxEYDvYi],
source[{"ts":"2016-03-19T09:48:21.250090Z","uid":"CU0uvD4pYTE2YeoKh","id.ori
g_h":"222.246.191.234","id.orig_p":11325,"id.resp_h":"119.143.122.225","id.r
esp_p":80,"trans_depth":1,"method":"GET","host":"xxxxxx.com.cn","uri":"/img/
xxxxxx/Uploads/2015-08-24/55daef788341b.jpg","user_agent":"WeChat/6.3.13.17
CFNetwork/758.2.8
Darwin/15.0.0","request_body_len":0,"response_body_len":15201,"status_code":
200,"status_msg":"OK","tags":[],"resp_fuids":["F3xb6m3Ffqs0QW1AI4"],"resp_mi
me_types":["image/jpeg"]}]}

MapperParsingException[Field name [id.orig_h] cannot contain '.']

         at
org.elasticsearch.index.mapper.object.ObjectMapper$TypeParser.parsePropertie
s(ObjectMapper.java:276)

         at
org.elasticsearch.index.mapper.object.ObjectMapper$TypeParser.parseObjectOrD
ocumentTypeProperties(ObjectMapper.java:221)

         at
org.elasticsearch.index.mapper.object.RootObjectMapper$TypeParser.parse(Root
ObjectMapper.java:138)

         at
org.elasticsearch.index.mapper.DocumentMapperParser.parse(DocumentMapperPars
er.java:119)

         at
org.elasticsearch.index.mapper.DocumentMapperParser.parse(DocumentMapperPars
er.java:100)

         at
org.elasticsearch.index.mapper.MapperService.parse(MapperService.java:435)

         at
org.elasticsearch.cluster.metadata.MetaDataMappingService$PutMappingExecutor
.applyRequest(MetaDataMappingService.java:257)

         at
org.elasticsearch.cluster.metadata.MetaDataMappingService$PutMappingExecutor
.execute(MetaDataMappingService.java:230)

         at
org.elasticsearch.cluster.service.InternalClusterService.runTasksForExecutor
(InternalClusterService.java:458)

         at
org.elasticsearch.cluster.service.InternalClusterService$UpdateTask.run(Inte
rnalClusterService.java:762)

         at
org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$Tie
BreakingPrioritizedRunnable.runAndClean(PrioritizedEsThreadPoolExecutor.java
:231)

         at
org.elasticsearch.common.util.concurrent.PrioritizedEsThreadPoolExecutor$Tie
BreakingPrioritizedRunnable.run(PrioritizedEsThreadPoolExecutor.java:194)

         at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
42)

         at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
17)

         at java.lang.Thread.run(Thread.java:745)

发件人: Daniel Guerra [mailto:daniel.guerra69 at gmail.com] 
发送时间: 2016年3月25日 17:51
收件人: mz
抄送: bro at bro.org
主题: Re: [Bro] logs-to-elasticsearch.bro error

 

Hi,

 

To make this work you need some patches 

or use an elasticsearch version lower than 2 (1.7)

 

I made a docker image for this

https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/

In the git there is a map bro-patch 

https://github.com/danielguerra69/bro-debian-elasticsearch.git

 

Regards,

 

Daniel

 

On 25 Mar 2016, at 10:42, mz <mz89924 at 126.com <mailto:mz89924 at 126.com> >
wrote:

 

Dear

         Use logs-to-elasticsearch.bro send logs to ES. Is now work.

 

ES error logs:

         [2016-03-25 17:30:52,957][DEBUG][action.bulk              ]
[node-1] [whbro-201603251500][1] failed to execute bulk item (index) index
{[whbro-201603251500][dns][AVOtHLQHooGOx5uLgLSQ],
source[{"_timestamp":1458898236411,"ts":1458898206267,"uid":"ClbNI74bIcRQ8Gs
6Wc","id.orig_h":"10.100.78.88","id.orig_p":137,"id.resp_h":"10.100.79.255",
"id.resp_p":137,"proto":"udp","trans_id":47282,"query":"ISATAP","qclass":1,"
qclass_name":"C_INTERNET","qtype":32,"qtype_name":"NB","AA":false,"TC":false
,"RD":true,"RA":false,"Z":1,"rejected":false}]}

MapperParsingException[Field [_timestamp] is a metadata field and cannot be
added inside a document. Use the index API request parameters.]

         at
org.elasticsearch.index.mapper.DocumentParser.parseObject(DocumentParser.jav
a:213)

         at
org.elasticsearch.index.mapper.DocumentParser.innerParseDocument(DocumentPar
ser.java:131)

         at
org.elasticsearch.index.mapper.DocumentParser.parseDocument(DocumentParser.j
ava:79)

         at
org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:304)

         at
org.elasticsearch.index.shard.IndexShard.prepareCreate(IndexShard.java:500)

         at
org.elasticsearch.index.shard.IndexShard.prepareCreateOnPrimary(IndexShard.j
ava:481)

         at
org.elasticsearch.action.index.TransportIndexAction.prepareIndexOperationOnP
rimary(TransportIndexAction.java:214)

         at
org.elasticsearch.action.index.TransportIndexAction.executeIndexRequestOnPri
mary(TransportIndexAction.java:223)

         at
org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(T
ransportShardBulkAction.java:326)

        at
org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrima
ry(TransportShardBulkAction.java:119)

         at
org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrima
ry(TransportShardBulkAction.java:68)

         at
org.elasticsearch.action.support.replication.TransportReplicationAction$Prim
aryPhase.doRun(TransportReplicationAction.java:595)

         at
org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnab
le.java:37)

         at
org.elasticsearch.action.support.replication.TransportReplicationAction$Prim
aryOperationTransportHandler.messageReceived(TransportReplicationAction.java
:263)

         at
org.elasticsearch.action.support.replication.TransportReplicationAction$Prim
aryOperationTransportHandler.messageReceived(TransportReplicationAction.java
:260)

         at
org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:3
50)

         at
org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnab
le.java:37)

         at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
42)

         at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
17)

         at java.lang.Thread.run(Thread.java:745)

 

Bro config file:

/usr/local/bro/lib/bro/plugins/Bro_ElasticSearch/scripts/init.bro

module LogElasticSearch;

 

export {

        ## Destination for the ES logs.  Valid options are

        ## "direct" to directly connect to ES and "nsq" to

        ## transfer the logs into an nsqd instance.

        const destination = "direct" &redef;

 

        ## Name of the ES cluster.

        const cluster_name = "my-application" &redef;

 

        ## ES server.

        const server_host = "10.100.79.10" &redef;

 

        ## ES port.

        const server_port = 9200 &redef;

 

        ## Name of the ES index.

        const index_prefix = "testooo" &redef;

 

        ## Should the index names be in UTC or in local time?

        ## Setting this to true would be more compatible with Kibana and
other tools.

        const index_name_in_utc = F &redef;

 

        ## Format for the index names.

        ## Setting this to "%Y.%m.%d-%H" would be more compatible Kibana and
other tools.

        #const index_name_fmt = "%Y%m%d" &redef;

        const index_name_fmt = "%Y%m%d%H%M" &redef;

        ## The ES type prefix comes before the name of the related log.

        ## e.g. prefix = "bro\_" would create types of bro_dns,
bro_software, etc.

        const type_prefix = "" &redef;

 

        ## The time before an ElasticSearch transfer will timeout. Note that

        ## the fractional part of the timeout will be ignored. In
particular,

        ## time specifications less than a second result in a timeout value
of

        ## 0, which means "no timeout."

        const transfer_timeout = 2secs;

 

        ## The batch size is the number of messages that will be queued up
before

        ## they are sent to be bulk indexed.

        const max_batch_size = 1000 &redef;

 

        ## The maximum amount of wall-clock time that is allowed to pass
without

        ## finishing a bulk log send.  This represents the maximum delay you

        ## would like to have with your logs before they are sent to
ElasticSearch.

        const max_batch_interval = 1min &redef;

 

        ## The maximum byte size for a buffered JSON string to send to the
bulk

        ## insert API.

        const max_byte_size = 1024 * 1024 &redef;

 

        ## If the "nsq" destination is given, this is the topic

        ## that Bro will push logs into.

        const nsq_topic = "bro_logs" &redef;

}

 

_______________________________________________
Bro mailing list
 <mailto:bro at bro-ids.org> bro at bro-ids.org
 <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160327/853883e0/attachment-0001.html

More information about the Bro mailing list