github-actions[bot]
commented
1 year ago Congratulations for contributing your first flowlogs-pipeline issue
Closed emnahum closed 1 year ago
github-actions[bot]
commented
1 year ago Congratulations for contributing your first flowlogs-pipeline issue
Many logs do not contain all available fields in each entry. For example, in Zeek's DNS log, one of the fields is called "rcode" which is the error code experienced by the server. A corresponding field is called rcode_name, which gives labels such as NOERROR (0), NXDOMAIN (no such domain)(3), etc.
However, in some log entries, there is no rcode (or rcode_name) field given. One way of handling that is to delete the entry, using a transform filter such as RemoveEntryIfDoesntExist. Another is to patch the entry with some identifying field, such as an RCODE_NOT_FOUND field, or add in the rcode field with a special value (e.g., -1).
This would allow more complete error handling in the logs.