Convert site name to IP address in Logstash


(Mark Nuttall) #1

I am parsing Apache log files and, instead of IP addressess , it mostly contains things like ec2-54-200-236-252.us-west-2.compute.amazonaws.com . I have tried the DNS filter to no avail. I'd like to have the IP address so i can use it with geoip. If i ping the "name", i get the IP address. Any ideas on if Logstash supports this or if there is a 3rd party plugin for it? I have googled a bunch and have come up empty.


(Mark Walkom) #2

A reverse DNS filter didn't work?


(Mark Nuttall) #3

Not for me. not that i could tell. Maybe i just didnt have the config right. I've tried different things to include just passing the name via the stdin input. Below is an example of one of the things l tried. I get no error and nothing is added to the output.

input { stdin { } }

filter {
mutate {
strip => "message"
}
dns {
reverse => [ "source_host", "message" ]

}
}

output {

stdout { codec => rubydebug }
}


(Mark Walkom) #4

Stripping message means doing any subsequent filters on that won't work!

Also I think you should be using the resolve filter rather than reverse, cause we aren't doing a reverse lookup (I missed that earlier).


(Mark Nuttall) #5

I am using strip to remove the /r just in case that was causing issues with my test. FYI - message still shows up in the output.

I had tried using resolve to no avail. As i said, that config file is just an example of the things i tried (and tried ..... :frowning:


(system) #6