Hi all,
I'm trying to apply reverse DNS lookup to the logs received from my Sophos firewall using the "DNS" processor of filebeat, but so far I didn't have any luck with that using the Sophos fleet-managed integration.
My current setup is a two-node ES cluster, with one of them being both Kibana and Fleet Server. The fleet server integration also has the Sophos integration to receive the logs from the Syslog configured on the firewall. I know this is far from ideal but since it is a small proof-of-concept for a home lab, it does the job.
I noticed that the processor fails because it tries to run before the logs are sent to Elasticsearch, which performs the parsing with the ingest node pipelines that adds the fields that I want to run the processor on.
I tried modifying the ingest node pipeline of Sophos to add the processor after the parsing, but there is no "DNS" processor among the Elasticsearch processors, so I guess it is only available as a Beats processor.
One solution I can think of now is to set up a Logstash node that receives the logs from the Fleet Server and apply it there, but that requires using a standalone agent instead of a fleet-managed one.
The other solution is to use directly filebeat integration of Sophos, but I would like to get it working from fleet.
Is there any way to apply the processors after the Elasticsearch ingest node pipelines? Or is there any processor on Elasticsearch (maybe enrich?) that I could apply to perform the DNS query?
Thank you in advance for your time.