metron-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmerri...@apache.org
Subject [2/2] metron git commit: METRON-1464 Convert schemas to be compatible with Solr 5.5.2 (merrimanr) closes apache/metron#945
Date Thu, 08 Mar 2018 17:53:20 GMT
METRON-1464 Convert schemas to be compatible with Solr 5.5.2 (merrimanr) closes apache/metron#945


Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/a7a41a55
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/a7a41a55
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/a7a41a55

Branch: refs/heads/feature/METRON-1416-upgrade-solr
Commit: a7a41a55aa79b7fa3f64c51a4d968f011e8b11d1
Parents: 84cac7e
Author: merrimanr <merrimanr@gmail.com>
Authored: Thu Mar 8 11:52:42 2018 -0600
Committer: merrimanr <merrimanr@gmail.com>
Committed: Thu Mar 8 11:52:42 2018 -0600

----------------------------------------------------------------------
 .../docker/rpm-docker/SPECS/metron.spec         |  10 +-
 .../src/main/config/schema/bro/managed-schema   | 693 -------------------
 .../src/main/config/schema/bro/schema.xml       | 693 +++++++++++++++++++
 .../src/main/config/schema/error/managed-schema |  58 --
 .../src/main/config/schema/error/schema.xml     |  58 ++
 .../main/config/schema/metaalert/managed-schema |  41 --
 .../src/main/config/schema/metaalert/schema.xml |  41 ++
 .../src/main/config/schema/snort/managed-schema |  86 ---
 .../src/main/config/schema/snort/schema.xml     |  86 +++
 .../src/main/config/schema/yaf/managed-schema   |  92 ---
 .../src/main/config/schema/yaf/schema.xml       |  92 +++
 11 files changed, 975 insertions(+), 975 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec b/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec
index 5222efc..c7d37ed 100644
--- a/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec
+++ b/metron-deployment/packaging/docker/rpm-docker/SPECS/metron.spec
@@ -232,15 +232,15 @@ This package installs the Metron Solr files
 %{metron_home}/bin/start_solr_topology.sh
 %{metron_home}/bin/stop_solr.sh
 %{metron_home}/config/solr.properties
-%{metron_home}/config/schema/bro/managed-schema
+%{metron_home}/config/schema/bro/schema.xml
 %{metron_home}/config/schema/bro/solrconfig.xml
-%{metron_home}/config/schema/error/managed-schema
+%{metron_home}/config/schema/error/schema.xml
 %{metron_home}/config/schema/error/solrconfig.xml
-%{metron_home}/config/schema/metaalert/managed-schema
+%{metron_home}/config/schema/metaalert/schema.xml
 %{metron_home}/config/schema/metaalert/solrconfig.xml
-%{metron_home}/config/schema/snort/managed-schema
+%{metron_home}/config/schema/snort/schema.xml
 %{metron_home}/config/schema/snort/solrconfig.xml
-%{metron_home}/config/schema/yaf/managed-schema
+%{metron_home}/config/schema/yaf/schema.xml
 %{metron_home}/config/schema/yaf/solrconfig.xml
 %attr(0644,root,root) %{metron_home}/lib/metron-solr-%{full_version}-uber.jar
 

http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema
----------------------------------------------------------------------
diff --git a/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema b/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema
deleted file mode 100644
index b473395..0000000
--- a/metron-platform/metron-solr/src/main/config/schema/bro/managed-schema
+++ /dev/null
@@ -1,693 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements.  See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License.  You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<schema name="bro_doc" version="1.6">
-  <!--
-    WARNING
-
-    Because Metron inserts many distinct bro records into a single ElasticSearch index
-    by default, it encounters field collisions due to field name reuse across bro logs.
-
-    Be careful when modifying this file to not unintentionally affect other logs.
-    For instance, the "version" field exists in the HTTP, SSL, and SSH logs.  If you
-    were to only consider the SSH log, you would set the type to integer, but because
-    in the SSL and HTTP logs version is a string, we must set the type to keyword.
-   -->
-  <field name="_version_" type="plong" indexed="false" stored="false"/>
-  <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
-
-  <!--
-         * Metron-specific fields
-  -->
-  <field name="source.type" type="string" indexed="true" stored="true" />
-  <field name="timestamp" type="timestamp" indexed="true" stored="true" />
-  <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
-  <uniqueKey>guid</uniqueKey>
-
-  <!--
-         * Widely-used Bro fields (potentially renamed during Metron ingest)
-  -->
-  <field name="uid" type="string" indexed="true" stored="true" />
-  <field name="ip_src_addr" type="ip" indexed="true" stored="true" />
-  <field name="ip_src_port" type="pint" indexed="true" stored="true" />
-  <field name="ip_dst_addr" type="ip" indexed="true" stored="true" />
-  <field name="ip_dst_port" type="pint" indexed="true" stored="true" />
-
-  <!--
-         * HTTP log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info
-         *
-         * Notable Fields
-         *   Field:     method
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     uri
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     password
-         *   Notes:     Field exists in the HTTP and FTP logs
-         *
-         *   Field:     capture_password
-         *   Notes:     Field exists in the HTTP and FTP logs
-         *
-         *   Field:     trans_depth
-         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
-         *
-         *   Field:     user_agent
-         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
-         *
-         *   Field:     version
-         *   Notes:     Field exists in the HTTP, SSL, and SSH logs
-         *
-         *   Field:     host
-         *   Notes:     Field exists in the HTTP, KnownCerts, and Software logs
-         *
-         *   Field:     username
-         *   Notes:     Field exists in the HTTP and RADIUS logs
-         *
-         *   Field:     status_code
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     status_msg
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     request_body_len
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     response_body_len
-         *   Notes:     Field exists in the HTTP and SIP logs
-  -->
-  <field name="trans_depth" type="pint" indexed="true" stored="true" />
-  <field name="method" type="string" indexed="true" stored="true" />
-  <field name="host" type="string" indexed="true" stored="true" />
-  <field name="uri" type="string" indexed="true" stored="true" />
-  <field name="referrer" type="string" indexed="true" stored="true" />
-  <field name="version" type="string" indexed="true" stored="true" />
-  <field name="user_agent" type="string" indexed="true" stored="true" />
-  <field name="request_body_len" type="plong" indexed="true" stored="true" />
-  <field name="response_body_len" type="plong" indexed="true" stored="true" />
-  <field name="status_code" type="pint" indexed="true" stored="true" />
-  <field name="status_msg" type="string" indexed="true" stored="true" />
-  <field name="info_code" type="pint" indexed="true" stored="true" />
-  <field name="info_msg" type="string" indexed="true" stored="true" />
-  <field name="tags" type="string" indexed="true" stored="true" multiValued="true" />
-  <field name="username" type="string" indexed="true" stored="true" />
-  <field name="password" type="string" indexed="true" stored="true" />
-  <field name="proxied" type="string" indexed="true" stored="true" />
-  <field name="orig_fuids" type="string" indexed="true" stored="true" multiValued="true"/>
-  <field name="orig_filenames" type="string" indexed="true" stored="true" />
-  <field name="orig_mime_types" type="string" indexed="true" stored="true" multiValued="true" />
-  <field name="resp_fuids" type="string" indexed="true" stored="true" multiValued="true" />
-  <field name="resp_filenames" type="string" indexed="true" stored="true" />
-  <field name="resp_mime_types" type="string" indexed="true" stored="true" multiValued="true" />
-
-  <!--
-         * DNS log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html#type-DNS::Info
-         *
-         * Notable Fields
-         *   Field:     proto
-         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
-         *
-         *   Field:     trans_id
-         *   Notes:     Field exists in the DNS and DHCP logs
-         *
-         *   Field:     rtt
-         *   Notes:     This field uses the "interval" type, which may need handled differently.
-         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
-  -->
-  <field name="proto" type="string" indexed="true" stored="true" />
-  <field name="trans_id" type="plong" indexed="true" stored="true" />
-  <field name="rtt" type="string" indexed="true" stored="true" />
-
-  <field name="query" type="string" indexed="true" stored="true" />
-  <field name="qclass" type="pint" indexed="true" stored="true" />
-  <field name="qclass_name" type="string" indexed="true" stored="true" />
-  <field name="qtype" type="pint" indexed="true" stored="true" />
-  <field name="qtype_name" type="string" indexed="true" stored="true" />
-  <field name="rcode" type="pint" indexed="true" stored="true" />
-  <field name="rcode_name" type="string" indexed="true" stored="true" />
-  <field name="AA" type="boolean" indexed="true" stored="true" />
-  <field name="TC" type="boolean" indexed="true" stored="true" />
-  <field name="RD" type="boolean" indexed="true" stored="true" />
-  <field name="RA" type="boolean" indexed="true" stored="true" />
-  <field name="Z" type="pint" indexed="true" stored="true" />
-  <field name="answers" type="string" indexed="true" stored="true" />
-  <field name="TTLs" type="string" indexed="true" stored="true" />
-  <field name="rejected" type="boolean" indexed="true" stored="true" />
-  <!--
-         * Conn log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
-         *
-         * Notable Fields
-         *   Field:     proto
-         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
-         *
-         *   Field:     duration
-         *   Notes:     Field exists in the Conn and Files logs
-         *
-         *   Field:     local_orig
-         *   Notes:     Field exists in the Conn and Files logs
-  -->
-  <field name="service" type="string" indexed="true" stored="true" />
-  <field name="duration" type="pfloat" indexed="true" stored="true" />
-  <field name="orig_bytes" type="plong" indexed="true" stored="true" />
-  <field name="resp_bytes" type="plong" indexed="true" stored="true" />
-  <field name="conn_state" type="string" indexed="true" stored="true" />
-  <field name="local_orig" type="boolean" indexed="true" stored="true" />
-
-  <field name="local_resp" type="string" indexed="true" stored="true" />
-  <field name="missed_bytes" type="plong" indexed="true" stored="true" />
-  <field name="history" type="string" indexed="true" stored="true" />
-  <field name="orig_pkts" type="plong" indexed="true" stored="true" />
-  <field name="orig_ip_bytes" type="plong" indexed="true" stored="true" />
-  <field name="resp_pkts" type="plong" indexed="true" stored="true" />
-  <field name="resp_ip_bytes" type="plong" indexed="true" stored="true" />
-  <field name="tunnel_parents" type="string" indexed="true" stored="true" />
-  <!--
-         * DPD log support
-         * https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info
-         *
-         * Notable Fields
-         *   Field:     proto
-         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
-  -->
-  <field name="analyzer" type="string" indexed="true" stored="true" />
-  <field name="failure_reason" type="string" indexed="true" stored="true" />
-  <!--
-         * FTP log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info
-         *
-         * Notable Fields
-         *   Field:     password
-         *   Notes:     Field exists in the HTTP and FTP logs
-         *
-         *   Field:     capture_password
-         *   Notes:     Field exists in the HTTP and FTP logs
-         *
-         *   Field:     mime_type
-         *   Notes:     Field exists in the FTP and Files logs
-         *
-         *   Field:     fuid
-         *   Notes:     Field exists in the FTP, Files, and Notice logs
-   -->
-  <field name="user" type="string" indexed="true" stored="true" />
-  <field name="command" type="string" indexed="true" stored="true" />
-  <field name="arg" type="string" indexed="true" stored="true" />
-  <field name="mime_type" type="string" indexed="true" stored="true" />
-  <field name="file_size" type="plong" indexed="true" stored="true" />
-  <field name="reply_code" type="pint" indexed="true" stored="true" />
-  <field name="reply_msg" type="string" indexed="true" stored="true" />
-  <field name="data_channel.passive" type="boolean" indexed="true" stored="true" />
-  <field name="data_channel.orig_h" type="ip" indexed="true" stored="true" />
-  <field name="data_channel.resp_h" type="ip" indexed="true" stored="true" />
-  <field name="data_channel.resp_p" type="pint" indexed="true" stored="true" />
-  <field name="cwd" type="string" indexed="true" stored="true" />
-  <field name="passive" type="boolean" indexed="true" stored="true" />
-  <field name="fuid" type="string" indexed="true" stored="true" />
-  <!--
-         * Files log support
-         * https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info
-         *
-         * Notable Fields
-         *   Field:     tx_hosts
-         *   Notes:     Metron rewrites this to "ip_src_addr"
-         *
-         *   Field:     rx_hosts
-         *   Notes:     Metron rewrites this to "ip_dst_addr"
-         *
-         *   Field:     mime_type
-         *   Notes:     Field exists in the FTP and Files logs
-         *
-         *   Field:     duration
-         *   Notes:     Field exists in the Conn and Files logs
-         *
-         *   Field:     local_orig
-         *   Notes:     Field exists in the Conn and Files logs
-         *
-         *   Field:     fuid
-         *   Notes:     Field exists in the FTP, Files, and Notice logs
-  -->
-  <field name="conn_uids" type="string" indexed="true" stored="true" />
-  <field name="source" type="string" indexed="true" stored="true" />
-  <field name="depth" type="pint" indexed="true" stored="true" />
-  <field name="analyzers" type="string" indexed="true" stored="true" />
-  <field name="filename" type="string" indexed="true" stored="true" />
-  <field name="is_orig" type="boolean" indexed="true" stored="true" />
-  <field name="seen_bytes" type="plong" indexed="true" stored="true" />
-  <field name="total_bytes" type="plong" indexed="true" stored="true" />
-  <field name="missing_bytes" type="plong" indexed="true" stored="true" />
-  <field name="overflow_bytes" type="plong" indexed="true" stored="true" />
-  <field name="timedout" type="boolean" indexed="true" stored="true" />
-  <field name="parent_fuid" type="string" indexed="true" stored="true" />
-  <field name="md5" type="string" indexed="true" stored="true" />
-  <field name="sha1" type="string" indexed="true" stored="true" />
-  <field name="sha256" type="string" indexed="true" stored="true" />
-  <field name="extracted" type="string" indexed="true" stored="true" />
-  <field name="extracted_cutoff" type="boolean" indexed="true" stored="true" />
-  <field name="extracted_size" type="plong" indexed="true" stored="true" />
-
-  <!--
-         * Known::CertInfo log support
-         * https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo
-         *
-         * Notable Fields
-         *   Field:     host
-         *   Notes:     Field exists in the HTTP, KnownCerts, and Software logs
-         *
-         *   Field:     subject
-         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
-  -->
-  <field name="port_num" type="pint" indexed="true" stored="true" />
-  <field name="subject" type="string" indexed="true" stored="true" />
-  <field name="issuer_subject" type="string" indexed="true" stored="true" />
-  <field name="serial" type="string" indexed="true" stored="true" />
-
-  <!--
-         * SMTP log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info
-         *
-         * Notable Fields
-         *   Field:     trans_depth
-         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
-         *
-         *   Field:     date
-         *   Notes:     Field exists in the SMTP and SIP logs
-         *
-         *   Field:     subject
-         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
-         *
-         *   Field:     reply_to
-         *   Notes:     Field exists in the SMTP and SIP logs
-         *
-         *   Field:     user_agent
-         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
-  -->
-  <field name="helo" type="string" indexed="true" stored="true" />
-  <field name="mailfrom" type="string" indexed="true" stored="true" />
-  <field name="rcptto" type="string" indexed="true" stored="true" />
-  <field name="date" type="string" indexed="true" stored="true" />
-  <field name="from" type="string" indexed="true" stored="true" />
-  <field name="to" type="string" indexed="true" stored="true" />
-  <field name="cc" type="string" indexed="true" stored="true" />
-  <field name="reply_to" type="string" indexed="true" stored="true" />
-  <field name="msg_id" type="string" indexed="true" stored="true" />
-  <field name="in_reply_to" type="string" indexed="true" stored="true" />
-  <field name="x_originating_ip" type="ip" indexed="true" stored="true" />
-  <field name="first_received" type="string" indexed="true" stored="true" />
-  <field name="second_received" type="string" indexed="true" stored="true" />
-  <field name="last_reply" type="string" indexed="true" stored="true" />
-  <field name="path" type="string" indexed="true" stored="true" />
-  <field name="tls" type="boolean" indexed="true" stored="true" />
-  <field name="fuids" type="string" indexed="true" stored="true" />
-  <field name="is_webmail" type="boolean" indexed="true" stored="true" />
-
-  <!--
-         * SSL log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info
-         *
-         * Notable Fields
-         *   Field:     version
-         *   Notes:     Field exists in the HTTP, SSL, and SSH logs
-         *
-         *   Field:     subject
-         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
-  -->
-  <field name="cipher" type="string" indexed="true" stored="true" />
-  <field name="curve" type="string" indexed="true" stored="true" />
-  <field name="server_name" type="string" indexed="true" stored="true" />
-  <field name="resumed" type="boolean" indexed="true" stored="true" />
-  <field name="server_appdata" type="string" indexed="true" stored="true" />
-  <field name="client_appdata" type="boolean" indexed="true" stored="true" />
-  <field name="last_alert" type="string" indexed="true" stored="true" />
-  <field name="next_protocol" type="string" indexed="true" stored="true" />
-  <field name="established" type="boolean" indexed="true" stored="true" />
-  <field name="cert_chain_fuids" type="string" indexed="true" stored="true" />
-  <field name="client_cert_chain_fuids" type="string" indexed="true" stored="true" />
-  <field name="issuer" type="string" indexed="true" stored="true" />
-  <field name="client_subject" type="string" indexed="true" stored="true" />
-  <field name="client_issuer" type="string" indexed="true" stored="true" />
-  <field name="validation_status" type="string" indexed="true" stored="true" />
-  <!--
-         * Weird log support
-         * https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info
-         *
-         * Notable Fields
-         *   Field:     peer
-         *   Notes:     Field exists in the Weird, CaptureLoss, and Stats logs
-         *
-         *   Field:     name
-         *   Notes:     Field exists in the Weird and LoadedScripts logs
-  -->
-  <field name="name" type="string" indexed="true" stored="true" />
-  <field name="addl" type="string" indexed="true" stored="true" />
-  <field name="notice" type="boolean" indexed="true" stored="true" />
-  <field name="peer" type="string" indexed="true" stored="true" />
-
-  <!--
-         * Notice log support
-         * https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info
-         *
-         * Notable Fields
-         *   Field:     fuid
-         *   Notes:     Field exists in the FTP, Files, and Notice logs
-         *
-         *   Field:     proto
-         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
-         *
-         *   Field:     remote_location:country_code
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:region
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:city
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:latitude
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:longitude
-         *   Notes:     Field exists in the Notice and SSH logs
-  -->
-  <field name="file_mime_type" type="string" indexed="true" stored="true" />
-  <field name="file_desc" type="string" indexed="true" stored="true" />
-  <field name="note" type="string" indexed="true" stored="true" />
-  <field name="msg" type="string" indexed="true" stored="true" />
-  <field name="sub" type="string" indexed="true" stored="true" />
-  <field name="src" type="ip" indexed="true" stored="true" />
-  <field name="dst" type="ip" indexed="true" stored="true" />
-  <field name="p" type="pint" indexed="true" stored="true" />
-  <field name="n" type="pint" indexed="true" stored="true" />
-  <field name="src_peer" type="ip" indexed="true" stored="true" />
-  <field name="peer_descr" type="string" indexed="true" stored="true" />
-  <field name="actions" type="string" indexed="true" stored="true" />
-  <field name="suppress_for" type="pdouble" indexed="true" stored="true" />
-  <field name="dropped" type="boolean" indexed="true" stored="true" />
-  <field name="remote_location.country_code" type="string" indexed="true" stored="true" />
-  <field name="remote_location.region" type="string" indexed="true" stored="true" />
-  <field name="remote_location.city" type="string" indexed="true" stored="true" />
-  <field name="remote_location.latitude" type="pdouble" indexed="true" stored="true" />
-  <field name="remote_location.longitude" type="pdouble" indexed="true" stored="true" />
-
-  <!--
-         * DHCP log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info
-         *
-         * Notable Fields
-         *   Field:     mac
-         *   Notes:     Field exists in the DHCP, RADIUS, and KnownDevices logs
-         *
-         *   Field:     trans_id
-         *   Notes:     Field exists in the DNS and DHCP logs
-  -->
-  <field name="mac" type="string" indexed="true" stored="true" />
-  <field name="assigned_ip" type="ip" indexed="true" stored="true" />
-  <field name="lease_time" type="pfloat" indexed="true" stored="true" />
-  <!--
-         * SSH log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info
-         *
-         * Notable Fields
-         *   Field:     version
-         *   Notes:     Field exists in the HTTP, SSL, and SSH logs
-         *
-         *   Field:     remote_location:country_code
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:region
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:city
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:latitude
-         *   Notes:     Field exists in the Notice and SSH logs
-         *
-         *   Field:     remote_location:longitude
-         *   Notes:     Field exists in the Notice and SSH logs
-  -->
-  <field name="auth_success" type="boolean" indexed="true" stored="true" />
-  <field name="auth_attempts" type="pint" indexed="true" stored="true" />
-  <field name="direction" type="string" indexed="true" stored="true" />
-  <field name="client" type="string" indexed="true" stored="true" />
-  <field name="server" type="string" indexed="true" stored="true" />
-  <field name="cipher_alg" type="string" indexed="true" stored="true" />
-  <field name="mac_alg" type="string" indexed="true" stored="true" />
-  <field name="compression_alg" type="string" indexed="true" stored="true" />
-  <field name="kex_alg" type="string" indexed="true" stored="true" />
-  <field name="host_key_alg" type="string" indexed="true" stored="true" />
-  <field name="host_key" type="string" indexed="true" stored="true" />
-
-  <!--
-         * Software log support
-         * https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info
-         *
-         * Notable Fields
-         *   Field:     host
-         *   Notes:     Field exists in the HTTP, KnownCerts, and Software logs
-  -->
-  <field name="host_p" type="pint" indexed="true" stored="true" />
-  <field name="software_type" type="string" indexed="true" stored="true" />
-  <field name="version.major" type="string" indexed="true" stored="true" />
-  <field name="version.minor" type="string" indexed="true" stored="true" />
-  <field name="version.minor2" type="string" indexed="true" stored="true" />
-  <field name="version.minor3" type="string" indexed="true" stored="true" />
-  <field name="version.addl" type="string" indexed="true" stored="true" />
-  <field name="unparsed_version" type="string" indexed="true" stored="true" />
-
-  <!--
-         * RADIUS log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info
-         *
-         * Notable Fields
-         *   Field:     username
-         *   Notes:     Field exists in the HTTP and RADIUS logs
-         *
-         *   Field:     mac
-         *   Notes:     Field exists in the DHCP, RADIUS, and KnownDevices logs
-         *
-         *   Field:     ttl
-         *   Notes:     This field uses the "interval" type, which may need handled differently.
-         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
-  -->
-  <field name="framed_addr" type="ip" indexed="true" stored="true" />
-  <field name="remote_ip" type="ip" indexed="true" stored="true" />
-  <field name="connect_info" type="string" indexed="true" stored="true" />
-  <field name="result" type="string" indexed="true" stored="true" />
-  <field name="ttl" type="string" indexed="true" stored="true" />
-
-  <!--
-         * X509 log support
-         * https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info
-         *
-         * Notable Fields
-         *   Field:     id
-         *   Notes:     In other bro records, the id field is of type conn_id, so it is
-         *              expanded before being logged into 4 fields, all of which are addressed
-         *              under the "Widely-used Bro fields" section of this template.  In X509
-         *              logs, however, id is a keyword to identify the certificate file id.
-  -->
-  <field name="id" type="string" indexed="true" stored="true" />
-  <field name="certificate.version" type="pint" indexed="true" stored="true" />
-  <field name="certificate.serial" type="string" indexed="true" stored="true" />
-  <field name="certificate.subject" type="string" indexed="true" stored="true" />
-  <field name="certificate.issuer" type="string" indexed="true" stored="true" />
-  <field name="certificate.not_valid_before" type="string" indexed="true" stored="true" />
-  <field name="certificate.not_valid_after" type="string" indexed="true" stored="true" />
-  <field name="certificate.key_alg" type="string" indexed="true" stored="true" />
-  <field name="certificate.sig_alg" type="string" indexed="true" stored="true" />
-  <field name="certificate.key_type" type="string" indexed="true" stored="true" />
-  <field name="certificate.key_length" type="pint" indexed="true" stored="true" />
-  <field name="certificate.exponent" type="string" indexed="true" stored="true" />
-  <field name="certificate.curve" type="string" indexed="true" stored="true" />
-  <field name="san.dns" type="string" indexed="true" stored="true" />
-  <field name="san.uri" type="string" indexed="true" stored="true" />
-  <field name="san.email" type="string" indexed="true" stored="true" />
-  <field name="san.ip" type="string" indexed="true" stored="true" />
-  <field name="basic_constraints.ca" type="boolean" indexed="true" stored="true" />
-  <field name="basic_constraints.path_len" type="pint" indexed="true" stored="true" />
-
-  <!--
-         * Known::DevicesInfo log support
-         * https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo
-         *
-         * Notable Fields
-         *   Field:     mac
-         *   Notes:     Field exists in the DHCP, RADIUS, and KnownDevices logs
-  -->
-  <field name="dhcp_host_name" type="string" indexed="true" stored="true" />
-  <!--
-         * RFB::Info log support
-         * https://www.bro.org/sphinx-git/scripts/base/protocols/rfb/main.bro.html#type-RFB::Info
-  -->
-  <field name="client_major_version" type="string" indexed="true" stored="true" />
-  <field name="client_minor_version" type="string" indexed="true" stored="true" />
-  <field name="server_major_version" type="string" indexed="true" stored="true" />
-  <field name="server_minor_version" type="string" indexed="true" stored="true" />
-  <field name="authentication_method" type="string" indexed="true" stored="true" />
-  <field name="auth" type="boolean" indexed="true" stored="true" />
-  <field name="share_flag" type="boolean" indexed="true" stored="true" />
-  <field name="desktop_name" type="string" indexed="true" stored="true" />
-  <field name="width" type="pint" indexed="true" stored="true" />
-  <field name="height" type="pint" indexed="true" stored="true" />
-
-  <!--
-         * Stats::Info log support
-         * https://www.bro.org/sphinx/scripts/policy/misc/stats.bro.html#type-Stats::Info
-         *
-         * Notable Fields
-         *   Field:     peer
-         *   Notes:     Field exists in the Weird, CaptureLoss, and Stats logs
-         *
-         *   Field:     pkt_lag
-         *   Notes:     This field uses the "interval" type, which may need handled differently.
-         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
-  -->
-  <field name="mem" type="pint" indexed="true" stored="true" />
-  <field name="pkts_proc" type="pint" indexed="true" stored="true" />
-  <field name="bytes_recv" type="pint" indexed="true" stored="true" />
-  <field name="pkts_dropped" type="pint" indexed="true" stored="true" />
-  <field name="pkts_link" type="pint" indexed="true" stored="true" />
-  <field name="pkt_lag" type="string" indexed="true" stored="true" />
-  <field name="events_proc" type="pint" indexed="true" stored="true" />
-  <field name="events_queued" type="pint" indexed="true" stored="true" />
-  <field name="active_tcp_conns" type="pint" indexed="true" stored="true" />
-  <field name="active_udp_conns" type="pint" indexed="true" stored="true" />
-  <field name="active_icmp_conns" type="pint" indexed="true" stored="true" />
-  <field name="tcp_conns" type="pint" indexed="true" stored="true" />
-  <field name="udp_conns" type="pint" indexed="true" stored="true" />
-  <field name="icmp_conns" type="pint" indexed="true" stored="true" />
-  <field name="timers" type="pint" indexed="true" stored="true" />
-  <field name="active_timers" type="pint" indexed="true" stored="true" />
-  <field name="files" type="pint" indexed="true" stored="true" />
-  <field name="active_files" type="pint" indexed="true" stored="true" />
-  <field name="dns_requests" type="pint" indexed="true" stored="true" />
-  <field name="active_dns_requests" type="pint" indexed="true" stored="true" />
-  <field name="reassem_tcp_size" type="pint" indexed="true" stored="true" />
-  <field name="reassem_file_size" type="pint" indexed="true" stored="true" />
-  <field name="reassem_frag_size" type="pint" indexed="true" stored="true" />
-  <field name="reassem_unknown_size" type="pint" indexed="true" stored="true" />
-
-  <!--
-         * CaptureLoss::Info log support
-         * https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info
-         *
-         * Notable Fields
-         *   Field:     ts_delta
-         *   Notes:     This field uses the "interval" type, which may need handled differently.
-         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
-         *
-         *   Field:     peer
-         *   Notes:     Field exists in the Weird, CaptureLoss, and Stats logs
-  -->
-  <field name="ts_delta" type="string" indexed="true" stored="true" />
-  <field name="gaps" type="pint" indexed="true" stored="true" />
-  <field name="acks" type="pint" indexed="true" stored="true" />
-  <field name="percent_lost" type="pdouble" indexed="true" stored="true" />
-
-  <!--
-         * Reporter::Info log support
-         * https://www.bro.org/sphinx/scripts/base/frameworks/reporter/main.bro.html#type-Reporter::Info
-  -->
-  <field name="level" type="string" indexed="true" stored="true" />
-  <field name="message" type="string" indexed="true" stored="true" />
-  <field name="location" type="string" indexed="true" stored="true" />
-
-  <!--
-         * SIP::Info log support
-         * https://www.bro.org/sphinx/scripts/base/protocols/sip/main.bro.html#type-SIP::Info
-         *
-         * Notable Fields
-         *   Field:     trans_depth
-         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
-         *
-         *   Field:     method
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     uri
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     date
-         *   Notes:     Field exists in the SMTP and SIP logs
-         *
-         *   Field:     reply_to
-         *   Notes:     Field exists in the SMTP and SIP logs
-         *
-         *   Field:     subject
-         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
-         *
-         *   Field:     user_agent
-         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
-         *
-         *   Field:     status_code
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     status_msg
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     request_body_len
-         *   Notes:     Field exists in the HTTP and SIP logs
-         *
-         *   Field:     response_body_len
-         *   Notes:     Field exists in the HTTP and SIP logs
-  -->
-  <field name="request_from" type="string" indexed="true" stored="true" />
-  <field name="request_to" type="string" indexed="true" stored="true" />
-  <field name="response_from" type="string" indexed="true" stored="true" />
-  <field name="response_to" type="string" indexed="true" stored="true" />
-  <field name="call_id" type="string" indexed="true" stored="true" />
-  <field name="seq" type="string" indexed="true" stored="true" />
-  <field name="request_path" type="string" indexed="true" stored="true" />
-  <field name="response_path" type="string" indexed="true" stored="true" />
-  <field name="warning" type="string" indexed="true" stored="true" />
-  <field name="content_type" type="string" indexed="true" stored="true" />
-
-  <!-- Geo Enrichment Fields -->
-  <dynamicField name="*.location_point" type="location" multiValued="false" docValues="true"/>
-  <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/>
-  <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/>
-  <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/>
-  <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/>
-  <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/>
-  <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/>
-  <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/>
-
-  <!-- Performance Debugging Fields -->
-  <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/>
-
-  <!-- Threat Intel Scoring Fields -->
-  <field name="is_alert" type="boolean" indexed="true" stored="true" />
-  <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/>
-  <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/>
-  <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/>
-
-  <!-- Catch all, if we don't know about it, it gets dropped. -->
-  <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/>
-
-  <!-- Type Definitions -->
-  <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
-  <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/>
-  <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
-  <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/>
-</schema>

http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml
----------------------------------------------------------------------
diff --git a/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml b/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml
new file mode 100644
index 0000000..4ce8d6b
--- /dev/null
+++ b/metron-platform/metron-solr/src/main/config/schema/bro/schema.xml
@@ -0,0 +1,693 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<schema name="bro_doc" version="1.6">
+  <!--
+    WARNING
+
+    Because Metron inserts many distinct bro records into a single ElasticSearch index
+    by default, it encounters field collisions due to field name reuse across bro logs.
+
+    Be careful when modifying this file to not unintentionally affect other logs.
+    For instance, the "version" field exists in the HTTP, SSL, and SSH logs.  If you
+    were to only consider the SSH log, you would set the type to integer, but because
+    in the SSL and HTTP logs version is a string, we must set the type to keyword.
+   -->
+  <field name="_version_" type="plong" indexed="true" stored="true"/>
+  <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
+
+  <!--
+         * Metron-specific fields
+  -->
+  <field name="source.type" type="string" indexed="true" stored="true" />
+  <field name="timestamp" type="timestamp" indexed="true" stored="true" />
+  <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
+  <uniqueKey>guid</uniqueKey>
+
+  <!--
+         * Widely-used Bro fields (potentially renamed during Metron ingest)
+  -->
+  <field name="uid" type="string" indexed="true" stored="true" />
+  <field name="ip_src_addr" type="ip" indexed="true" stored="true" />
+  <field name="ip_src_port" type="pint" indexed="true" stored="true" />
+  <field name="ip_dst_addr" type="ip" indexed="true" stored="true" />
+  <field name="ip_dst_port" type="pint" indexed="true" stored="true" />
+
+  <!--
+         * HTTP log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info
+         *
+         * Notable Fields
+         *   Field:     method
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     uri
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     password
+         *   Notes:     Field exists in the HTTP and FTP logs
+         *
+         *   Field:     capture_password
+         *   Notes:     Field exists in the HTTP and FTP logs
+         *
+         *   Field:     trans_depth
+         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
+         *
+         *   Field:     user_agent
+         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
+         *
+         *   Field:     version
+         *   Notes:     Field exists in the HTTP, SSL, and SSH logs
+         *
+         *   Field:     host
+         *   Notes:     Field exists in the HTTP, KnownCerts, and Software logs
+         *
+         *   Field:     username
+         *   Notes:     Field exists in the HTTP and RADIUS logs
+         *
+         *   Field:     status_code
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     status_msg
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     request_body_len
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     response_body_len
+         *   Notes:     Field exists in the HTTP and SIP logs
+  -->
+  <field name="trans_depth" type="pint" indexed="true" stored="true" />
+  <field name="method" type="string" indexed="true" stored="true" />
+  <field name="host" type="string" indexed="true" stored="true" />
+  <field name="uri" type="string" indexed="true" stored="true" />
+  <field name="referrer" type="string" indexed="true" stored="true" />
+  <field name="version" type="string" indexed="true" stored="true" />
+  <field name="user_agent" type="string" indexed="true" stored="true" />
+  <field name="request_body_len" type="plong" indexed="true" stored="true" />
+  <field name="response_body_len" type="plong" indexed="true" stored="true" />
+  <field name="status_code" type="pint" indexed="true" stored="true" />
+  <field name="status_msg" type="string" indexed="true" stored="true" />
+  <field name="info_code" type="pint" indexed="true" stored="true" />
+  <field name="info_msg" type="string" indexed="true" stored="true" />
+  <field name="tags" type="string" indexed="true" stored="true" multiValued="true" />
+  <field name="username" type="string" indexed="true" stored="true" />
+  <field name="password" type="string" indexed="true" stored="true" />
+  <field name="proxied" type="string" indexed="true" stored="true" />
+  <field name="orig_fuids" type="string" indexed="true" stored="true" multiValued="true"/>
+  <field name="orig_filenames" type="string" indexed="true" stored="true" />
+  <field name="orig_mime_types" type="string" indexed="true" stored="true" multiValued="true" />
+  <field name="resp_fuids" type="string" indexed="true" stored="true" multiValued="true" />
+  <field name="resp_filenames" type="string" indexed="true" stored="true" />
+  <field name="resp_mime_types" type="string" indexed="true" stored="true" multiValued="true" />
+
+  <!--
+         * DNS log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html#type-DNS::Info
+         *
+         * Notable Fields
+         *   Field:     proto
+         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
+         *
+         *   Field:     trans_id
+         *   Notes:     Field exists in the DNS and DHCP logs
+         *
+         *   Field:     rtt
+         *   Notes:     This field uses the "interval" type, which may need handled differently.
+         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
+  -->
+  <field name="proto" type="string" indexed="true" stored="true" />
+  <field name="trans_id" type="plong" indexed="true" stored="true" />
+  <field name="rtt" type="string" indexed="true" stored="true" />
+
+  <field name="query" type="string" indexed="true" stored="true" />
+  <field name="qclass" type="pint" indexed="true" stored="true" />
+  <field name="qclass_name" type="string" indexed="true" stored="true" />
+  <field name="qtype" type="pint" indexed="true" stored="true" />
+  <field name="qtype_name" type="string" indexed="true" stored="true" />
+  <field name="rcode" type="pint" indexed="true" stored="true" />
+  <field name="rcode_name" type="string" indexed="true" stored="true" />
+  <field name="AA" type="boolean" indexed="true" stored="true" />
+  <field name="TC" type="boolean" indexed="true" stored="true" />
+  <field name="RD" type="boolean" indexed="true" stored="true" />
+  <field name="RA" type="boolean" indexed="true" stored="true" />
+  <field name="Z" type="pint" indexed="true" stored="true" />
+  <field name="answers" type="string" indexed="true" stored="true" />
+  <field name="TTLs" type="string" indexed="true" stored="true" />
+  <field name="rejected" type="boolean" indexed="true" stored="true" />
+  <!--
+         * Conn log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
+         *
+         * Notable Fields
+         *   Field:     proto
+         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
+         *
+         *   Field:     duration
+         *   Notes:     Field exists in the Conn and Files logs
+         *
+         *   Field:     local_orig
+         *   Notes:     Field exists in the Conn and Files logs
+  -->
+  <field name="service" type="string" indexed="true" stored="true" />
+  <field name="duration" type="pfloat" indexed="true" stored="true" />
+  <field name="orig_bytes" type="plong" indexed="true" stored="true" />
+  <field name="resp_bytes" type="plong" indexed="true" stored="true" />
+  <field name="conn_state" type="string" indexed="true" stored="true" />
+  <field name="local_orig" type="boolean" indexed="true" stored="true" />
+
+  <field name="local_resp" type="string" indexed="true" stored="true" />
+  <field name="missed_bytes" type="plong" indexed="true" stored="true" />
+  <field name="history" type="string" indexed="true" stored="true" />
+  <field name="orig_pkts" type="plong" indexed="true" stored="true" />
+  <field name="orig_ip_bytes" type="plong" indexed="true" stored="true" />
+  <field name="resp_pkts" type="plong" indexed="true" stored="true" />
+  <field name="resp_ip_bytes" type="plong" indexed="true" stored="true" />
+  <field name="tunnel_parents" type="string" indexed="true" stored="true" />
+  <!--
+         * DPD log support
+         * https://www.bro.org/sphinx-git/scripts/base/frameworks/dpd/main.bro.html#type-DPD::Info
+         *
+         * Notable Fields
+         *   Field:     proto
+         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
+  -->
+  <field name="analyzer" type="string" indexed="true" stored="true" />
+  <field name="failure_reason" type="string" indexed="true" stored="true" />
+  <!--
+         * FTP log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/ftp/info.bro.html#type-FTP::Info
+         *
+         * Notable Fields
+         *   Field:     password
+         *   Notes:     Field exists in the HTTP and FTP logs
+         *
+         *   Field:     capture_password
+         *   Notes:     Field exists in the HTTP and FTP logs
+         *
+         *   Field:     mime_type
+         *   Notes:     Field exists in the FTP and Files logs
+         *
+         *   Field:     fuid
+         *   Notes:     Field exists in the FTP, Files, and Notice logs
+   -->
+  <field name="user" type="string" indexed="true" stored="true" />
+  <field name="command" type="string" indexed="true" stored="true" />
+  <field name="arg" type="string" indexed="true" stored="true" />
+  <field name="mime_type" type="string" indexed="true" stored="true" />
+  <field name="file_size" type="plong" indexed="true" stored="true" />
+  <field name="reply_code" type="pint" indexed="true" stored="true" />
+  <field name="reply_msg" type="string" indexed="true" stored="true" />
+  <field name="data_channel.passive" type="boolean" indexed="true" stored="true" />
+  <field name="data_channel.orig_h" type="ip" indexed="true" stored="true" />
+  <field name="data_channel.resp_h" type="ip" indexed="true" stored="true" />
+  <field name="data_channel.resp_p" type="pint" indexed="true" stored="true" />
+  <field name="cwd" type="string" indexed="true" stored="true" />
+  <field name="passive" type="boolean" indexed="true" stored="true" />
+  <field name="fuid" type="string" indexed="true" stored="true" />
+  <!--
+         * Files log support
+         * https://www.bro.org/sphinx/scripts/base/frameworks/files/main.bro.html#type-Files::Info
+         *
+         * Notable Fields
+         *   Field:     tx_hosts
+         *   Notes:     Metron rewrites this to "ip_src_addr"
+         *
+         *   Field:     rx_hosts
+         *   Notes:     Metron rewrites this to "ip_dst_addr"
+         *
+         *   Field:     mime_type
+         *   Notes:     Field exists in the FTP and Files logs
+         *
+         *   Field:     duration
+         *   Notes:     Field exists in the Conn and Files logs
+         *
+         *   Field:     local_orig
+         *   Notes:     Field exists in the Conn and Files logs
+         *
+         *   Field:     fuid
+         *   Notes:     Field exists in the FTP, Files, and Notice logs
+  -->
+  <field name="conn_uids" type="string" indexed="true" stored="true" />
+  <field name="source" type="string" indexed="true" stored="true" />
+  <field name="depth" type="pint" indexed="true" stored="true" />
+  <field name="analyzers" type="string" indexed="true" stored="true" />
+  <field name="filename" type="string" indexed="true" stored="true" />
+  <field name="is_orig" type="boolean" indexed="true" stored="true" />
+  <field name="seen_bytes" type="plong" indexed="true" stored="true" />
+  <field name="total_bytes" type="plong" indexed="true" stored="true" />
+  <field name="missing_bytes" type="plong" indexed="true" stored="true" />
+  <field name="overflow_bytes" type="plong" indexed="true" stored="true" />
+  <field name="timedout" type="boolean" indexed="true" stored="true" />
+  <field name="parent_fuid" type="string" indexed="true" stored="true" />
+  <field name="md5" type="string" indexed="true" stored="true" />
+  <field name="sha1" type="string" indexed="true" stored="true" />
+  <field name="sha256" type="string" indexed="true" stored="true" />
+  <field name="extracted" type="string" indexed="true" stored="true" />
+  <field name="extracted_cutoff" type="boolean" indexed="true" stored="true" />
+  <field name="extracted_size" type="plong" indexed="true" stored="true" />
+
+  <!--
+         * Known::CertInfo log support
+         * https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo
+         *
+         * Notable Fields
+         *   Field:     host
+         *   Notes:     Field exists in the HTTP, KnownCerts, and Software logs
+         *
+         *   Field:     subject
+         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
+  -->
+  <field name="port_num" type="pint" indexed="true" stored="true" />
+  <field name="subject" type="string" indexed="true" stored="true" />
+  <field name="issuer_subject" type="string" indexed="true" stored="true" />
+  <field name="serial" type="string" indexed="true" stored="true" />
+
+  <!--
+         * SMTP log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info
+         *
+         * Notable Fields
+         *   Field:     trans_depth
+         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
+         *
+         *   Field:     date
+         *   Notes:     Field exists in the SMTP and SIP logs
+         *
+         *   Field:     subject
+         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
+         *
+         *   Field:     reply_to
+         *   Notes:     Field exists in the SMTP and SIP logs
+         *
+         *   Field:     user_agent
+         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
+  -->
+  <field name="helo" type="string" indexed="true" stored="true" />
+  <field name="mailfrom" type="string" indexed="true" stored="true" />
+  <field name="rcptto" type="string" indexed="true" stored="true" />
+  <field name="date" type="string" indexed="true" stored="true" />
+  <field name="from" type="string" indexed="true" stored="true" />
+  <field name="to" type="string" indexed="true" stored="true" />
+  <field name="cc" type="string" indexed="true" stored="true" />
+  <field name="reply_to" type="string" indexed="true" stored="true" />
+  <field name="msg_id" type="string" indexed="true" stored="true" />
+  <field name="in_reply_to" type="string" indexed="true" stored="true" />
+  <field name="x_originating_ip" type="ip" indexed="true" stored="true" />
+  <field name="first_received" type="string" indexed="true" stored="true" />
+  <field name="second_received" type="string" indexed="true" stored="true" />
+  <field name="last_reply" type="string" indexed="true" stored="true" />
+  <field name="path" type="string" indexed="true" stored="true" />
+  <field name="tls" type="boolean" indexed="true" stored="true" />
+  <field name="fuids" type="string" indexed="true" stored="true" />
+  <field name="is_webmail" type="boolean" indexed="true" stored="true" />
+
+  <!--
+         * SSL log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/ssl/main.bro.html#type-SSL::Info
+         *
+         * Notable Fields
+         *   Field:     version
+         *   Notes:     Field exists in the HTTP, SSL, and SSH logs
+         *
+         *   Field:     subject
+         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
+  -->
+  <field name="cipher" type="string" indexed="true" stored="true" />
+  <field name="curve" type="string" indexed="true" stored="true" />
+  <field name="server_name" type="string" indexed="true" stored="true" />
+  <field name="resumed" type="boolean" indexed="true" stored="true" />
+  <field name="server_appdata" type="string" indexed="true" stored="true" />
+  <field name="client_appdata" type="boolean" indexed="true" stored="true" />
+  <field name="last_alert" type="string" indexed="true" stored="true" />
+  <field name="next_protocol" type="string" indexed="true" stored="true" />
+  <field name="established" type="boolean" indexed="true" stored="true" />
+  <field name="cert_chain_fuids" type="string" indexed="true" stored="true" />
+  <field name="client_cert_chain_fuids" type="string" indexed="true" stored="true" />
+  <field name="issuer" type="string" indexed="true" stored="true" />
+  <field name="client_subject" type="string" indexed="true" stored="true" />
+  <field name="client_issuer" type="string" indexed="true" stored="true" />
+  <field name="validation_status" type="string" indexed="true" stored="true" />
+  <!--
+         * Weird log support
+         * https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info
+         *
+         * Notable Fields
+         *   Field:     peer
+         *   Notes:     Field exists in the Weird, CaptureLoss, and Stats logs
+         *
+         *   Field:     name
+         *   Notes:     Field exists in the Weird and LoadedScripts logs
+  -->
+  <field name="name" type="string" indexed="true" stored="true" />
+  <field name="addl" type="string" indexed="true" stored="true" />
+  <field name="notice" type="boolean" indexed="true" stored="true" />
+  <field name="peer" type="string" indexed="true" stored="true" />
+
+  <!--
+         * Notice log support
+         * https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html#type-Notice::Info
+         *
+         * Notable Fields
+         *   Field:     fuid
+         *   Notes:     Field exists in the FTP, Files, and Notice logs
+         *
+         *   Field:     proto
+         *   Notes:     Field exists in the DNS, Conn, DPD, and Notice logs
+         *
+         *   Field:     remote_location:country_code
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:region
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:city
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:latitude
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:longitude
+         *   Notes:     Field exists in the Notice and SSH logs
+  -->
+  <field name="file_mime_type" type="string" indexed="true" stored="true" />
+  <field name="file_desc" type="string" indexed="true" stored="true" />
+  <field name="note" type="string" indexed="true" stored="true" />
+  <field name="msg" type="string" indexed="true" stored="true" />
+  <field name="sub" type="string" indexed="true" stored="true" />
+  <field name="src" type="ip" indexed="true" stored="true" />
+  <field name="dst" type="ip" indexed="true" stored="true" />
+  <field name="p" type="pint" indexed="true" stored="true" />
+  <field name="n" type="pint" indexed="true" stored="true" />
+  <field name="src_peer" type="ip" indexed="true" stored="true" />
+  <field name="peer_descr" type="string" indexed="true" stored="true" />
+  <field name="actions" type="string" indexed="true" stored="true" />
+  <field name="suppress_for" type="pdouble" indexed="true" stored="true" />
+  <field name="dropped" type="boolean" indexed="true" stored="true" />
+  <field name="remote_location.country_code" type="string" indexed="true" stored="true" />
+  <field name="remote_location.region" type="string" indexed="true" stored="true" />
+  <field name="remote_location.city" type="string" indexed="true" stored="true" />
+  <field name="remote_location.latitude" type="pdouble" indexed="true" stored="true" />
+  <field name="remote_location.longitude" type="pdouble" indexed="true" stored="true" />
+
+  <!--
+         * DHCP log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info
+         *
+         * Notable Fields
+         *   Field:     mac
+         *   Notes:     Field exists in the DHCP, RADIUS, and KnownDevices logs
+         *
+         *   Field:     trans_id
+         *   Notes:     Field exists in the DNS and DHCP logs
+  -->
+  <field name="mac" type="string" indexed="true" stored="true" />
+  <field name="assigned_ip" type="ip" indexed="true" stored="true" />
+  <field name="lease_time" type="pfloat" indexed="true" stored="true" />
+  <!--
+         * SSH log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/ssh/main.bro.html#type-SSH::Info
+         *
+         * Notable Fields
+         *   Field:     version
+         *   Notes:     Field exists in the HTTP, SSL, and SSH logs
+         *
+         *   Field:     remote_location:country_code
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:region
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:city
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:latitude
+         *   Notes:     Field exists in the Notice and SSH logs
+         *
+         *   Field:     remote_location:longitude
+         *   Notes:     Field exists in the Notice and SSH logs
+  -->
+  <field name="auth_success" type="boolean" indexed="true" stored="true" />
+  <field name="auth_attempts" type="pint" indexed="true" stored="true" />
+  <field name="direction" type="string" indexed="true" stored="true" />
+  <field name="client" type="string" indexed="true" stored="true" />
+  <field name="server" type="string" indexed="true" stored="true" />
+  <field name="cipher_alg" type="string" indexed="true" stored="true" />
+  <field name="mac_alg" type="string" indexed="true" stored="true" />
+  <field name="compression_alg" type="string" indexed="true" stored="true" />
+  <field name="kex_alg" type="string" indexed="true" stored="true" />
+  <field name="host_key_alg" type="string" indexed="true" stored="true" />
+  <field name="host_key" type="string" indexed="true" stored="true" />
+
+  <!--
+         * Software log support
+         * https://www.bro.org/sphinx/scripts/base/frameworks/software/main.bro.html#type-Software::Info
+         *
+         * Notable Fields
+         *   Field:     host
+         *   Notes:     Field exists in the HTTP, KnownCerts, and Software logs
+  -->
+  <field name="host_p" type="pint" indexed="true" stored="true" />
+  <field name="software_type" type="string" indexed="true" stored="true" />
+  <field name="version.major" type="string" indexed="true" stored="true" />
+  <field name="version.minor" type="string" indexed="true" stored="true" />
+  <field name="version.minor2" type="string" indexed="true" stored="true" />
+  <field name="version.minor3" type="string" indexed="true" stored="true" />
+  <field name="version.addl" type="string" indexed="true" stored="true" />
+  <field name="unparsed_version" type="string" indexed="true" stored="true" />
+
+  <!--
+         * RADIUS log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/radius/main.bro.html#type-RADIUS::Info
+         *
+         * Notable Fields
+         *   Field:     username
+         *   Notes:     Field exists in the HTTP and RADIUS logs
+         *
+         *   Field:     mac
+         *   Notes:     Field exists in the DHCP, RADIUS, and KnownDevices logs
+         *
+         *   Field:     ttl
+         *   Notes:     This field uses the "interval" type, which may need handled differently.
+         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
+  -->
+  <field name="framed_addr" type="ip" indexed="true" stored="true" />
+  <field name="remote_ip" type="ip" indexed="true" stored="true" />
+  <field name="connect_info" type="string" indexed="true" stored="true" />
+  <field name="result" type="string" indexed="true" stored="true" />
+  <field name="ttl" type="string" indexed="true" stored="true" />
+
+  <!--
+         * X509 log support
+         * https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info
+         *
+         * Notable Fields
+         *   Field:     id
+         *   Notes:     In other bro records, the id field is of type conn_id, so it is
+         *              expanded before being logged into 4 fields, all of which are addressed
+         *              under the "Widely-used Bro fields" section of this template.  In X509
+         *              logs, however, id is a keyword to identify the certificate file id.
+  -->
+  <field name="id" type="string" indexed="true" stored="true" />
+  <field name="certificate.version" type="pint" indexed="true" stored="true" />
+  <field name="certificate.serial" type="string" indexed="true" stored="true" />
+  <field name="certificate.subject" type="string" indexed="true" stored="true" />
+  <field name="certificate.issuer" type="string" indexed="true" stored="true" />
+  <field name="certificate.not_valid_before" type="string" indexed="true" stored="true" />
+  <field name="certificate.not_valid_after" type="string" indexed="true" stored="true" />
+  <field name="certificate.key_alg" type="string" indexed="true" stored="true" />
+  <field name="certificate.sig_alg" type="string" indexed="true" stored="true" />
+  <field name="certificate.key_type" type="string" indexed="true" stored="true" />
+  <field name="certificate.key_length" type="pint" indexed="true" stored="true" />
+  <field name="certificate.exponent" type="string" indexed="true" stored="true" />
+  <field name="certificate.curve" type="string" indexed="true" stored="true" />
+  <field name="san.dns" type="string" indexed="true" stored="true" />
+  <field name="san.uri" type="string" indexed="true" stored="true" />
+  <field name="san.email" type="string" indexed="true" stored="true" />
+  <field name="san.ip" type="string" indexed="true" stored="true" />
+  <field name="basic_constraints.ca" type="boolean" indexed="true" stored="true" />
+  <field name="basic_constraints.path_len" type="pint" indexed="true" stored="true" />
+
+  <!--
+         * Known::DevicesInfo log support
+         * https://www.bro.org/sphinx/scripts/policy/misc/known-devices.bro.html#type-Known::DevicesInfo
+         *
+         * Notable Fields
+         *   Field:     mac
+         *   Notes:     Field exists in the DHCP, RADIUS, and KnownDevices logs
+  -->
+  <field name="dhcp_host_name" type="string" indexed="true" stored="true" />
+  <!--
+         * RFB::Info log support
+         * https://www.bro.org/sphinx-git/scripts/base/protocols/rfb/main.bro.html#type-RFB::Info
+  -->
+  <field name="client_major_version" type="string" indexed="true" stored="true" />
+  <field name="client_minor_version" type="string" indexed="true" stored="true" />
+  <field name="server_major_version" type="string" indexed="true" stored="true" />
+  <field name="server_minor_version" type="string" indexed="true" stored="true" />
+  <field name="authentication_method" type="string" indexed="true" stored="true" />
+  <field name="auth" type="boolean" indexed="true" stored="true" />
+  <field name="share_flag" type="boolean" indexed="true" stored="true" />
+  <field name="desktop_name" type="string" indexed="true" stored="true" />
+  <field name="width" type="pint" indexed="true" stored="true" />
+  <field name="height" type="pint" indexed="true" stored="true" />
+
+  <!--
+         * Stats::Info log support
+         * https://www.bro.org/sphinx/scripts/policy/misc/stats.bro.html#type-Stats::Info
+         *
+         * Notable Fields
+         *   Field:     peer
+         *   Notes:     Field exists in the Weird, CaptureLoss, and Stats logs
+         *
+         *   Field:     pkt_lag
+         *   Notes:     This field uses the "interval" type, which may need handled differently.
+         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
+  -->
+  <field name="mem" type="pint" indexed="true" stored="true" />
+  <field name="pkts_proc" type="pint" indexed="true" stored="true" />
+  <field name="bytes_recv" type="pint" indexed="true" stored="true" />
+  <field name="pkts_dropped" type="pint" indexed="true" stored="true" />
+  <field name="pkts_link" type="pint" indexed="true" stored="true" />
+  <field name="pkt_lag" type="string" indexed="true" stored="true" />
+  <field name="events_proc" type="pint" indexed="true" stored="true" />
+  <field name="events_queued" type="pint" indexed="true" stored="true" />
+  <field name="active_tcp_conns" type="pint" indexed="true" stored="true" />
+  <field name="active_udp_conns" type="pint" indexed="true" stored="true" />
+  <field name="active_icmp_conns" type="pint" indexed="true" stored="true" />
+  <field name="tcp_conns" type="pint" indexed="true" stored="true" />
+  <field name="udp_conns" type="pint" indexed="true" stored="true" />
+  <field name="icmp_conns" type="pint" indexed="true" stored="true" />
+  <field name="timers" type="pint" indexed="true" stored="true" />
+  <field name="active_timers" type="pint" indexed="true" stored="true" />
+  <field name="files" type="pint" indexed="true" stored="true" />
+  <field name="active_files" type="pint" indexed="true" stored="true" />
+  <field name="dns_requests" type="pint" indexed="true" stored="true" />
+  <field name="active_dns_requests" type="pint" indexed="true" stored="true" />
+  <field name="reassem_tcp_size" type="pint" indexed="true" stored="true" />
+  <field name="reassem_file_size" type="pint" indexed="true" stored="true" />
+  <field name="reassem_frag_size" type="pint" indexed="true" stored="true" />
+  <field name="reassem_unknown_size" type="pint" indexed="true" stored="true" />
+
+  <!--
+         * CaptureLoss::Info log support
+         * https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info
+         *
+         * Notable Fields
+         *   Field:     ts_delta
+         *   Notes:     This field uses the "interval" type, which may need handled differently.
+         *              https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
+         *
+         *   Field:     peer
+         *   Notes:     Field exists in the Weird, CaptureLoss, and Stats logs
+  -->
+  <field name="ts_delta" type="string" indexed="true" stored="true" />
+  <field name="gaps" type="pint" indexed="true" stored="true" />
+  <field name="acks" type="pint" indexed="true" stored="true" />
+  <field name="percent_lost" type="pdouble" indexed="true" stored="true" />
+
+  <!--
+         * Reporter::Info log support
+         * https://www.bro.org/sphinx/scripts/base/frameworks/reporter/main.bro.html#type-Reporter::Info
+  -->
+  <field name="level" type="string" indexed="true" stored="true" />
+  <field name="message" type="string" indexed="true" stored="true" />
+  <field name="location" type="string" indexed="true" stored="true" />
+
+  <!--
+         * SIP::Info log support
+         * https://www.bro.org/sphinx/scripts/base/protocols/sip/main.bro.html#type-SIP::Info
+         *
+         * Notable Fields
+         *   Field:     trans_depth
+         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
+         *
+         *   Field:     method
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     uri
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     date
+         *   Notes:     Field exists in the SMTP and SIP logs
+         *
+         *   Field:     reply_to
+         *   Notes:     Field exists in the SMTP and SIP logs
+         *
+         *   Field:     subject
+         *   Notes:     Field exists in the KnownCerts, SMTP, SIP, and SSL logs
+         *
+         *   Field:     user_agent
+         *   Notes:     Field exists in the HTTP, SMTP, and SIP logs
+         *
+         *   Field:     status_code
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     status_msg
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     request_body_len
+         *   Notes:     Field exists in the HTTP and SIP logs
+         *
+         *   Field:     response_body_len
+         *   Notes:     Field exists in the HTTP and SIP logs
+  -->
+  <field name="request_from" type="string" indexed="true" stored="true" />
+  <field name="request_to" type="string" indexed="true" stored="true" />
+  <field name="response_from" type="string" indexed="true" stored="true" />
+  <field name="response_to" type="string" indexed="true" stored="true" />
+  <field name="call_id" type="string" indexed="true" stored="true" />
+  <field name="seq" type="string" indexed="true" stored="true" />
+  <field name="request_path" type="string" indexed="true" stored="true" />
+  <field name="response_path" type="string" indexed="true" stored="true" />
+  <field name="warning" type="string" indexed="true" stored="true" />
+  <field name="content_type" type="string" indexed="true" stored="true" />
+
+  <!-- Geo Enrichment Fields -->
+  <dynamicField name="*.location_point" type="location" multiValued="false" docValues="false"/>
+  <dynamicField name="*.country" type="string" multiValued="false" docValues="true"/>
+  <dynamicField name="*.city" type="string" multiValued="false" docValues="true"/>
+  <dynamicField name="*.locID" type="string" multiValued="false" docValues="true"/>
+  <dynamicField name="*.dmaCode" type="string" multiValued="false" docValues="true"/>
+  <dynamicField name="*.postalCode" type="string" multiValued="false" docValues="true"/>
+  <dynamicField name="*.latitude" type="pfloat" multiValued="false" docValues="true"/>
+  <dynamicField name="*.longitude" type="pfloat" multiValued="false" docValues="true"/>
+
+  <!-- Performance Debugging Fields -->
+  <dynamicField name="*.ts" type="timestamp" multiValued="false" docValues="true"/>
+
+  <!-- Threat Intel Scoring Fields -->
+  <field name="is_alert" type="boolean" indexed="true" stored="true" />
+  <dynamicField name="*score" type="pfloat" multiValued="false" docValues="true"/>
+  <dynamicField name="*.reason" type="string" multiValued="false" docValues="true"/>
+  <dynamicField name="*.name" type="string" multiValued="false" docValues="true"/>
+
+  <!-- Catch all, if we don't know about it, it gets dropped. -->
+  <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/>
+
+  <!-- Type Definitions -->
+  <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
+  <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/>
+  <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/>
+  <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
+  <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/>
+</schema>

http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/error/managed-schema
----------------------------------------------------------------------
diff --git a/metron-platform/metron-solr/src/main/config/schema/error/managed-schema b/metron-platform/metron-solr/src/main/config/schema/error/managed-schema
deleted file mode 100644
index 0ed9a38..0000000
--- a/metron-platform/metron-solr/src/main/config/schema/error/managed-schema
+++ /dev/null
@@ -1,58 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements.  See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License.  You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<schema name="error_doc" version="1.6">
-  <field name="_version_" type="plong" indexed="false" stored="false"/>
-  <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
-
-  <!-- The Exception Details-->
-  <field name="exception" type="string" indexed="true" stored="true" />
-  <field name="hostname" type="string" indexed="true" stored="true" />
-  <field name="stack" type="string" indexed="true" stored="true" />
-
-  <!-- The timestamp of when it happened -->
-  <field name="timestamp" type="timestamp" indexed="true" stored="true" />
-
-  <!-- The message in string form (this may be garbage if the message is a bytes rather than text -->
-  <field name="message" type="string" indexed="true" stored="true" />
-  <field name="raw_message" type="string" indexed="true" stored="true" />
-  <field name="raw_message_bytes" type="bytes" indexed="true" stored="true" />
-  <field name="error_fields" type="string" indexed="true" stored="true" />
-  <field name="error_hash" type="string" indexed="true" stored="true" />
-  <field name="failed_sensor_type" type="string" indexed="true" stored="true" />
-  <field name="error_type" type="string" indexed="true" stored="true" />
-
-  <!-- The GUID for the error -->
-  <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
-  <uniqueKey>guid</uniqueKey>
-
-  <!-- Catch all, if we don't know about it, it gets dropped. -->
-  <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/>
-
-
-  <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
-  <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/>
-  <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.IntPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.FloatPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.DoublePointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="bytes" stored="true" indexed="true" multiValued="false" class="solr.BinaryField" sortMissingLast="false"/>
-  <fieldType name="location" stored="true" indexed="true" multiValued="false" class="solr.LatLonPointSpatialField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
-  <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.LongPointField" sortMissingLast="false" docValues="true"/>
-  <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/>
-</schema>

http://git-wip-us.apache.org/repos/asf/metron/blob/a7a41a55/metron-platform/metron-solr/src/main/config/schema/error/schema.xml
----------------------------------------------------------------------
diff --git a/metron-platform/metron-solr/src/main/config/schema/error/schema.xml b/metron-platform/metron-solr/src/main/config/schema/error/schema.xml
new file mode 100644
index 0000000..5f9f9a3
--- /dev/null
+++ b/metron-platform/metron-solr/src/main/config/schema/error/schema.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<schema name="error_doc" version="1.6">
+  <field name="_version_" type="plong" indexed="true" stored="true"/>
+  <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
+
+  <!-- The Exception Details-->
+  <field name="exception" type="string" indexed="true" stored="true" />
+  <field name="hostname" type="string" indexed="true" stored="true" />
+  <field name="stack" type="string" indexed="true" stored="true" />
+
+  <!-- The timestamp of when it happened -->
+  <field name="timestamp" type="timestamp" indexed="true" stored="true" />
+
+  <!-- The message in string form (this may be garbage if the message is a bytes rather than text -->
+  <field name="message" type="string" indexed="true" stored="true" />
+  <field name="raw_message" type="string" indexed="false" stored="true" />
+  <field name="raw_message_bytes" type="bytes" indexed="false" stored="true" />
+  <field name="error_fields" type="string" indexed="true" stored="true" />
+  <field name="error_hash" type="string" indexed="true" stored="true" />
+  <field name="failed_sensor_type" type="string" indexed="true" stored="true" />
+  <field name="error_type" type="string" indexed="true" stored="true" />
+
+  <!-- The GUID for the error -->
+  <field name="guid" type="string" indexed="true" stored="true" required="true" multiValued="false" />
+  <uniqueKey>guid</uniqueKey>
+
+  <!-- Catch all, if we don't know about it, it gets dropped. -->
+  <dynamicField name="*" type="ignored" multiValued="false" docValues="true"/>
+
+
+  <fieldType name="string" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
+  <fieldType name="boolean" stored="true" indexed="true" multiValued="false" class="solr.BoolField" sortMissingLast="true" docValues="false"/>
+  <fieldType name="pint" stored="true" indexed="true" multiValued="false" class="solr.TrieIntField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="pfloat" stored="true" indexed="true" multiValued="false" class="solr.TrieFloatField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="plong" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="pdouble" stored="true" indexed="true" multiValued="false" class="solr.TrieDoubleField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="bytes" stored="true" indexed="true" multiValued="false" class="solr.BinaryField" sortMissingLast="false"/>
+  <fieldType name="location" class="solr.LatLonType" subFieldSuffix="_coordinate"/>
+  <fieldType name="ip" stored="true" indexed="true" multiValued="false" class="solr.StrField" sortMissingLast="true" docValues="false"/>
+  <fieldType name="timestamp" stored="true" indexed="true" multiValued="false" class="solr.TrieLongField" sortMissingLast="false" docValues="true"/>
+  <fieldType name="ignored" stored="true" indexed="true" multiValued="true" class="solr.StrField" sortMissingLast="false" docValues="false"/>
+</schema>


Mime
View raw message