https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123640#M55415 <P>Thank you so much! I will feed back if it works.</P> Tue, 28 Feb 2017 10:52:41 GMT 308741831 2017-02-28T10:52:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123630#M55405 <P></P><P>After runing Metron a little while,I received this exception:</P><P> index [bro_index_2017.02.23.16], type [bro_doc], id [AVpp_hu_luwdJ-LP4qUA], message [MapperParsingException[failed to parse [ip_dst_addr]]; nested: IllegalArgumentException[failed to parse ip [ff02::0001:0003], not a valid ipv4 address (4 dots)];]</P><P>How do i resolve it ? I'll appreciate it for any help!</P> Fri, 24 Feb 2017 13:30:23 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123630#M55405 308741831 2017-02-24T13:30:23Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123631#M55406 <P>Well, the problem is actually in the elasticsearch indexing templates. Normally, I'd say that you could use a message filter to filter out the IPv6 data in the parser, but I know that they don't work in HCS 1.0. As a workaround, you could transform the IPv6 addresses to 0.0.0.0 and they'll index. You can also save off the old address in a new field. This would be how you would do it with Stellar field transformations.</P><P>Edit $METRON_HOME/config/zookeeper/parsers/bro.json to add the "fieldTransformations" section, like so:</P><PRE>{ "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser", "sensorTopic":"bro", "parserConfig": {}, "fieldTransformations" : [ { "transformation" : "STELLAR" ,"output" : [ "raw_dst_ip" , "ip_dst_addr" ] ,"config" : { "raw_dst_ip" : "ip_dst_addr" ,"ip_dst_addr" : "if IS_IP(ip_dst_addr, 'IPV4') then ip_dst_addr else '0.0.0.0'" } } ] } </PRE><P>If things work out like they should, you'll have a raw_dst_ip field and ip_dst_addr will either be IPv4 or '0.0.0.0', which will index just fine.</P><P>In the next release, you'll have a message filter that works so you could drop them easier.</P><P>Hope this helps! Report back if you get into trouble.</P> Fri, 24 Feb 2017 14:01:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123631#M55406 cstella 2017-02-24T14:01:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123632#M55407 <P><A rel="user" href="https://community.cloudera.com/users/597/cstella.html" nodeid="597">@cstella</A> is there any approches to do this?</P> Fri, 24 Feb 2017 14:01:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123632#M55407 308741831 2017-02-24T14:01:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123633#M55408 <P>We do not currently support IPv6 addresses in Metron. You have unfortunately hit <A href="https://issues.apache.org/jira/browse/METRON-293" target="_blank">https://issues.apache.org/jira/browse/METRON-293</A></P> Fri, 24 Feb 2017 14:01:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123633#M55408 cstella 2017-02-24T14:01:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123634#M55409 <P>so i wanna disable ipv6 in bro ,do you know how to do that?</P> Fri, 24 Feb 2017 14:01:07 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123634#M55409 308741831 2017-02-24T14:01:07Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123635#M55410 <P>i just do not want ipv6 show up in bro logs</P> Fri, 24 Feb 2017 14:01:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123635#M55410 308741831 2017-02-24T14:01:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123636#M55411 <P>I should point out that you will need to, after you make that change, push the configs to zookeeper via $METRON_HOME/bin/zk_load_configs.sh --mode PUSH -i $METRON_HOME/config/zookeeper -z $ZK_QUORUM</P><P>where ZK_QUORUM is something like hostname:2181</P> Fri, 24 Feb 2017 14:03:22 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123636#M55411 cstella 2017-02-24T14:03:22Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123637#M55412 <P>actually ,i hope bro logs capture ipv4 info only ,is there any configuration to set </P> Fri, 24 Feb 2017 14:31:12 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123637#M55412 308741831 2017-02-24T14:31:12Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123638#M55413 <P>or why dont you translate ipv6 to ipv4 with stellar script?</P> Fri, 24 Feb 2017 15:03:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123638#M55413 308741831 2017-02-24T15:03:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123639#M55414 <P>What cstella is suggesting should work, but you can also filter upstream in bro using a predicate. I can give more help later if necessary but I first suggest you read and understand the below post and look at my bro script. My script filters IPv6 traffic for Conn, HTTP, and dns, and also filters all non-internet traffic (you can simply remove that part of the logic for your situation) if you are using the Kafka plugin.</P><P><A href="http://blog.bro.org/2012/02/filtering-logs-with-bro.html">http://blog.bro.org/2012/02/filtering-logs-with-bro.html</A></P><P><A href="https://github.com/JonZeolla/Development/blob/master/bro/logs-to-kafka.bro">https://github.com/JonZeolla/Development/blob/master/bro/logs-to-kafka.bro</A></P><P>Hope that helps.</P> Sat, 25 Feb 2017 02:44:35 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123639#M55414 zeolla 2017-02-25T02:44:35Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123640#M55415 <P>Thank you so much! I will feed back if it works.</P> Tue, 28 Feb 2017 10:52:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123640#M55415 308741831 2017-02-28T10:52:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123641#M55416 <P>Thank you ! It works.</P> Tue, 28 Feb 2017 15:43:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Exception-in-indexingBolt-of-indexing-topology/m-p/123641#M55416 308741831 2017-02-28T15:43:41Z