Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Exception in indexingBolt of indexing topology

Labels:
avatar
author-rank 308741831
Contributor

Created ‎02-24-2017 05:30 AM

After runing Metron a little while,I received this exception:

index [bro_index_2017.02.23.16], type [bro_doc], id [AVpp_hu_luwdJ-LP4qUA], message [MapperParsingException[failed to parse [ip_dst_addr]]; nested: IllegalArgumentException[failed to parse ip [ff02::0001:0003], not a valid ipv4 address (4 dots)];]

How do i resolve it ? I'll appreciate it for any help!

3,978 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank cstella
Contributor

Created ‎02-24-2017 06:01 AM

Well, the problem is actually in the elasticsearch indexing templates. Normally, I'd say that you could use a message filter to filter out the IPv6 data in the parser, but I know that they don't work in HCS 1.0. As a workaround, you could transform the IPv6 addresses to 0.0.0.0 and they'll index. You can also save off the old address in a new field. This would be how you would do it with Stellar field transformations.

Edit $METRON_HOME/config/zookeeper/parsers/bro.json to add the "fieldTransformations" section, like so:

{
  "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
  "sensorTopic":"bro",
  "parserConfig": {},
  "fieldTransformations" : [
    {
      "transformation" : "STELLAR"
    ,"output" : [ "raw_dst_ip"
                , "ip_dst_addr"
                ]
    ,"config" : {
 "raw_dst_ip" : "ip_dst_addr"
,"ip_dst_addr" : "if IS_IP(ip_dst_addr, 'IPV4') then ip_dst_addr else '0.0.0.0'"
                }
    }
                           ]
}

If things work out like they should, you'll have a raw_dst_ip field and ip_dst_addr will either be IPv4 or '0.0.0.0', which will index just fine.

In the next release, you'll have a message filter that works so you could drop them easier.

Hope this helps! Report back if you get into trouble.

View solution in original post

3,798 Views
11 REPLIES 11

avatar
author-rank cstella
Contributor

Created ‎02-24-2017 06:01 AM

Well, the problem is actually in the elasticsearch indexing templates. Normally, I'd say that you could use a message filter to filter out the IPv6 data in the parser, but I know that they don't work in HCS 1.0. As a workaround, you could transform the IPv6 addresses to 0.0.0.0 and they'll index. You can also save off the old address in a new field. This would be how you would do it with Stellar field transformations.

Edit $METRON_HOME/config/zookeeper/parsers/bro.json to add the "fieldTransformations" section, like so:

{
  "parserClassName":"org.apache.metron.parsers.bro.BasicBroParser",
  "sensorTopic":"bro",
  "parserConfig": {},
  "fieldTransformations" : [
    {
      "transformation" : "STELLAR"
    ,"output" : [ "raw_dst_ip"
                , "ip_dst_addr"
                ]
    ,"config" : {
 "raw_dst_ip" : "ip_dst_addr"
,"ip_dst_addr" : "if IS_IP(ip_dst_addr, 'IPV4') then ip_dst_addr else '0.0.0.0'"
                }
    }
                           ]
}

If things work out like they should, you'll have a raw_dst_ip field and ip_dst_addr will either be IPv4 or '0.0.0.0', which will index just fine.

In the next release, you'll have a message filter that works so you could drop them easier.

Hope this helps! Report back if you get into trouble.

3,799 Views

avatar
author-rank 308741831
Contributor

Created ‎02-24-2017 06:01 AM

@cstella is there any approches to do this?

3,498 Views
0 Kudos

avatar
author-rank cstella
Contributor

Created ‎02-24-2017 06:01 AM

We do not currently support IPv6 addresses in Metron. You have unfortunately hit https://issues.apache.org/jira/browse/METRON-293

3,498 Views
0 Kudos

avatar
author-rank 308741831
Contributor

Created ‎02-24-2017 06:01 AM

so i wanna disable ipv6 in bro ,do you know how to do that?

3,498 Views
0 Kudos

avatar
author-rank 308741831
Contributor

Created ‎02-24-2017 06:01 AM

i just do not want ipv6 show up in bro logs

3,498 Views
0 Kudos

avatar
author-rank cstella
Contributor

Created ‎02-24-2017 06:03 AM

I should point out that you will need to, after you make that change, push the configs to zookeeper via $METRON_HOME/bin/zk_load_configs.sh --mode PUSH -i $METRON_HOME/config/zookeeper -z $ZK_QUORUM

where ZK_QUORUM is something like hostname:2181

3,498 Views
0 Kudos

avatar
author-rank 308741831
Contributor

Created ‎02-24-2017 06:31 AM

actually ,i hope bro logs capture ipv4 info only ,is there any configuration to set

3,498 Views
0 Kudos

avatar
author-rank 308741831
Contributor

Created ‎02-24-2017 07:03 AM

or why dont you translate ipv6 to ipv4 with stellar script?

3,498 Views
0 Kudos

avatar
author-rank zeolla
Explorer

Created ‎02-24-2017 06:44 PM

What cstella is suggesting should work, but you can also filter upstream in bro using a predicate. I can give more help later if necessary but I first suggest you read and understand the below post and look at my bro script. My script filters IPv6 traffic for Conn, HTTP, and dns, and also filters all non-internet traffic (you can simply remove that part of the logic for your situation) if you are using the Kafka plugin.

http://blog.bro.org/2012/02/filtering-logs-with-bro.html

https://github.com/JonZeolla/Development/blob/master/bro/logs-to-kafka.bro

Hope that helps.

3,498 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements