metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Allen (JIRA)" <>
Subject [jira] [Created] (METRON-1926) Parser Validation Does Not Indicate Cause of Failure
Date Thu, 06 Dec 2018 20:56:00 GMT
Nick Allen created METRON-1926:

             Summary: Parser Validation Does Not Indicate Cause of Failure
                 Key: METRON-1926
             Project: Metron
          Issue Type: Bug
            Reporter: Nick Allen

The BasicParser performs some validation of the messages produced by a parser.  It ensure
that a parser implementation produces a message with a 'timestamp' and an 'original_string'. 

When the BasicParser causes message parsing to fail, the error message that is produced and
sent to the error topic does not contain any information indicating why the message failed
to parse.  The only indication are log statements made at the trace level.

For example, using a new regex parser implementation, the BasicParser was causing valid messages
to fail because there was no timestamp added by this parser.  The error message produced
does not indicate why the message failed to parse.
  "failed_sensor_type": "regex",
  "hostname": "node1",
  "raw_message": "{\"dst_process_id\":\"11672\",\"dst_process_name\":\"sshd\",\"source.type\":\"regex\",\"device_name\":\"deviceName\",\"original_string\":\"<38>Jun
20 15:01:17 deviceName sshd[11672]: Accepted publickey for prod from port 55555
ssh2\",\"event_info\":\"Accepted publickey\",\"ip_src_port\":\"55555\",\"dst_user_id\":\"prod\",\"app_protocol\":\"ssh2\",\"guid\":\"edaee82d-02fb-4ec9-9412-5912fa8d4a6f\",\"syslogpriority\":\"38\",\"timestamp_device_original\":\"Jun
20 15:01:17\",\"ip_src_addr\":\"\"}",
  "error_hash": "51d323ef83d03c4a8f9b858f7779cb882f3e61925909b66bc61348756c201057",
  "error_type": "parser_invalid",
  "guid": "7cbc9553-feaf-4b23-9468-01b6599299bd",
  "source.type": "error",
  "timestamp": 1543518747945
The message should contain a message or exception field telling me why it failed to parse. 

The additional validation is [performed here|].

This issue was [discovered here|].

This message was sent by Atlassian JIRA

View raw message