Can we compare two strings with logstash or elastic search?

Hi Folks,

Here is my use case; I have BIND logs being parsed thus extracting queries domain; however I am collecting DNS queries from end users as well using sysmon. So my query is

Since I have BIND server sitting in front of Windows DNS server at present I am not able to see the actual user IP address who has generated the original query.
Hence wanted to know if I can write a lookup rule like;

if BIND logs www.google.com AND SYSMON log www.google.com
Then add_field original_IP?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.