DNS filter couldn't perform reverse lookup

ladakalina · May 3, 2020, 9:59am

Hello everyone!
I have a problem with DNS filter in Logstash.
Source data: I use logstash to parse ulogd logs from my router (based on Open-wrt). The last problem I faced it's problem with perform reverse lookup IP-address.

1) Elastic version:
curl -XGET 'localhost:9200'
{
"name" : "*****",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "XnrCNwIbT4yLpg5wnpDHFA",
"version" : {
"number" : "7.6.2",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
"build_date" : "2020-03-26T06:34:37.794943Z",
"build_snapshot" : false,
"lucene_version" : "8.4.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}

2) Logstash config:

input {
udp {
port => 5014
type => syslog
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:sys$
}
grok {
match => { "syslog_message" => "[%{DATA:status}] %{DATA:outbound.direction}: SRC=%{IP:outbound.src_ip} DST=%{IP:outbound.dst_ip} PROTO=%{WORD:outbound.protocol$
}
geoip {
source => "outbound.dst_ip"
target => "outboundgeoip"
add_field => [ "[outboundgeoip][coord]", "%{[outboundgeoip][longitude]}" ]
add_field => [ "[outboundgeoip][coord]", "%{[outboundgeoip][latitude]}" ]
}
geoip {
source => "inbound.src_ip"
target => "inboundgeoip"
add_field => [ "[inboundgeoip][coord]", "%{[inboundgeoip][longitude]}" ]
add_field => [ "[inboundgeoip][coord]", "%{[inboundgeoip][latitude]}" ]
}
mutate {
convert => [ "[outboundgeoip][coord]", "float" ]
convert => [ "[inboundgeoip][coord]", "float" ]
}
dns {
reverse => [ "[outbound][dst_ip]" ]
nameserver => [ "8.8.8.8" ]
action => "append"
add_tag => [ "dns_successful_lookup" ]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}

3) Problem with result:

logstash[2856]: [2020-05-03T09:36:10,889][WARN ][logstash.filters.dns ][main] DNS filter could not perform reverse lookup on missing field {:field=>"[outbound][dst_ip]"}

I have outbound.dst_ip with IP-address without dns-name. It's problem with all logs.
I ask for your help or advice to solve this problem.

ptamba · May 3, 2020, 10:59am

as the log suggested, it couldn’t find the field [oubound][dst_ip]. change the field in your dns filter into outbound.dst_ip instead or assign value to the [outbound].[dst_ip]

Badger · May 3, 2020, 2:13pm

A field can have a period in its name, in which case logstash would call it

[outbound.dst_ip]

or a field can be an object that contains another field, in which case logstash would call it

[outbound][dst_ip]

You are mixing the two.

ladakalina · May 4, 2020, 6:00pm

Really. The problem was the wrong field name. Thanks.

Correct log:

dns {
  reverse => [ "outbound.dst_ip" ]
  nameserver => [ "8.8.8.8" ]
  action => "append"
  add_tag => [ "dns_successful_lookup" ]
}

system · June 1, 2020, 6:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.