Im new with LogStash and I cant figure out some simple questions.
I need to add a DNS info taken from a local DNS server to manage lockup for internal IP.
My local DNS server has an IP, for example 10.1.0.20
I need to read the source.ip and destination.ip and add new information with DNS data.
The official DOC says:
filter {
dns {
reverse => [ "source_host", "field_with_address" ]
resolve => [ "field_with_fqdn" ]
action => "replace"
}
}
But Its not clear where I have to put my data.
I want an output like:
"source" =>
{
...
"address" : "192.168.1.29",
"dns_info" : "Desktop123"
...
}
...
Unfortunately, the DNS filter tries to resolve the address or name in place instead of adding a field... so you need to jump through hoops. Assuming you have a doc with an source.ip field...
filter {
mutate {
copy => { "[source][ip]" => "[source][fqdn]" }
}
dns {
reverse => "[source][fqdn]"
action => "replace"
add_field => { "[@metadata][dns_source]" => "success" }
}
if ![@metadata][dns_source] {
mutate { remove_field => "[source][fqdn]" }
}
}
It's ugly, but I don't know of a better way to do this given there is no target setting for the DNS filter plugin.
I think this answers the crux of your question; other things, like specifying a nameserver or setting cache times, are well covered in the official docs.