metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JonZeolla <...@git.apache.org>
Subject [GitHub] incubator-metron pull request #547: METRON-858 bro-plugin-kafka is throwing ...
Date Thu, 27 Apr 2017 17:57:05 GMT
Github user JonZeolla commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/547#discussion_r113762122
  
    --- Diff: metron-sensors/bro-plugin-kafka/README.md ---
    @@ -94,6 +95,60 @@ event bro_init()
     }
     ```
     
    +### Example 3
    +
    +As documented in [METRON-285](https://issues.apache.org/jira/browse/METRON-285) and [METRON-286](https://issues.apache.org/jira/browse/METRON-286),
various components in Metron do not currently support IPv6.  Because of this, you may not
want to send bro logs that contain IPv6 source or destination IPs into Metron.  In this example,
we are assuming a somewhat standard bro configuration for sending logs into a Metron cluster,
such that:
    + * Each type of bro log is sent to the `bro` topic, but is tagged with the appropriate
log type (such as `http`, `dns`, or `conn`).  This is done by setting `topic_name` to `bro`,
setting `$path` to an empty string (or leaving it unset), and by setting `tag_json` to true.
    + * The Kafka writer is set appropriately to send logs to the `bro` Kafka topic being
used in your Metron cluster.  This requires that your `kafka_conf` and `$config` tables are
appropriately configured.
    +
    +```
    +@load Bro/Kafka/logs-to-kafka.bro
    +redef Kafka::topic_name = "bro";
    --- End diff --
    
    I'm obviously missing something.  `logs_to_send` is not `topic_name`?  In my example `logs_to_send`
is not set.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message