THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Numerous sensors log in different formats. The parser should normalize at least the following subset of fields to the following Metron JSON naming conventions:
Description | Field Name | Field Value |
---|---|---|
Any field containing a source IP address | ip_src_addr | Octets (xxx.xxx.xxx.xxx) |
Any field containing a destination IP address | ip_dst_addr | Octets (xxx.xxx.xxx.xxx) |
Any field containing a source port | ip_src_port | Integer |
Any field containing a destination port | ip_dst_port | Integer |
Any field containing a protocol | protocol | String as a protocol, all caps. So if protocol = 6, value should be TCP |
Timestamp | timestamp | Epoch timestamp (timestamp comes from sensor, not parser) |
Message Type | source.type | yaf|snort|bro|etc... |
Timestamp | start_time | Epoch timestamp |
Timestamp | end_time | Epoch timestamp |