I'm new to logstash and I've been using winlogbeat to get log event and I wanted to do a DNS lookup on the field Workstation
While trying the dns filter I encounter a strange bug
my pipeline configuration is as followed :
input {
stdin {
codec => json
}
}
filter {
json {
source => "message"
}
if [_source][type] == "wineventlog" {
dns {
reverse => ["[_source][event_data][Workstation]"]
action => replace
add_tag => ["dns_lookup"]
add_field => { "[_source][event_data][ip_addr]" => "%{[_source][event_data[Workstation]}" }
}
}
}
output {
stdout {
codec => rubydebug
}
}
in case the _source[type] field is set to wineventlog I should have a tag added
it works with the following json :
{"_source": {"type": "wineventlog", "event_data" : { "workstation" : "www.google.fr" } } }
output :
{
"@version" => "1",
"@timestamp" => 2018-08-21T09:36:14.396Z,
"host" => "localhost.localdomain",
"tags" => [
[0] "dns_lookup"
],
"event_data" => {
"ip_addr" => "%{[_source][event_data[Workstation]}"
},
"_source" => {
"type" => "wineventlog",
"event_data" => {
"workstation" => "www.google.fr"
}
}
}
but not with the one I'm supposed to handle (notice the case of Workstation field)
{"_source": {"type": "wineventlog", "event_data" : { "Workstation" : "www.google.fr" } } }
output :
{
"@version" => "1",
"@timestamp" => 2018-08-21T09:50:00.006Z,
"host" => "localhost.localdomain",
"_source" => {
"type" => "wineventlog",
"event_data" => {
"Workstation" => "www.google.fr"
}
}
}
what am I doing wrong ?