This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Skip to end of metadata
Go to start of metadata

Numerous sensors log in different formats.  The parser should normalize at least the following subset of fields to the following Metron JSON naming conventions:

 

DescriptionField NameField Value
Any field containing a source IP addressip_src_addrOctets (xxx.xxx.xxx.xxx)
Any field containing a destination IP addressip_dst_addrOctets (xxx.xxx.xxx.xxx)
Any field containing a source portip_src_portInteger
Any field containing a destination portip_dst_portInteger
Any field containing a protocolprotocol

String as a protocol, all caps.

So if protocol = 6, value should be TCP

TimestamptimestampEpoch timestamp (timestamp comes from sensor, not parser)
Message Typesource.typeyaf|snort|bro|etc...
Timestampstart_timeEpoch timestamp
Timestampend_timeEpoch timestamp
  • No labels