Hello everyone!
I have a problem with DNS filter in Logstash.
Source data: I use logstash to parse ulogd logs from my router (based on Open-wrt). The last problem I faced it's problem with perform reverse lookup IP-address.
1) Elastic version:
curl -XGET 'localhost:9200'
{
"name" : "*****",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "XnrCNwIbT4yLpg5wnpDHFA",
"version" : {
"number" : "7.6.2",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
"build_date" : "2020-03-26T06:34:37.794943Z",
"build_snapshot" : false,
"lucene_version" : "8.4.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
2) Logstash config:
input {
udp {
port => 5014
type => syslog
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:sys$
}
grok {
match => { "syslog_message" => "[%{DATA:status}] %{DATA:outbound.direction}: SRC=%{IP:outbound.src_ip} DST=%{IP:outbound.dst_ip} PROTO=%{WORD:outbound.protocol$
}
geoip {
source => "outbound.dst_ip"
target => "outboundgeoip"
add_field => [ "[outboundgeoip][coord]", "%{[outboundgeoip][longitude]}" ]
add_field => [ "[outboundgeoip][coord]", "%{[outboundgeoip][latitude]}" ]
}
geoip {
source => "inbound.src_ip"
target => "inboundgeoip"
add_field => [ "[inboundgeoip][coord]", "%{[inboundgeoip][longitude]}" ]
add_field => [ "[inboundgeoip][coord]", "%{[inboundgeoip][latitude]}" ]
}
mutate {
convert => [ "[outboundgeoip][coord]", "float" ]
convert => [ "[inboundgeoip][coord]", "float" ]
}
dns {
reverse => [ "[outbound][dst_ip]" ]
nameserver => [ "8.8.8.8" ]
action => "append"
add_tag => [ "dns_successful_lookup" ]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}
3) Problem with result:
logstash[2856]: [2020-05-03T09:36:10,889][WARN ][logstash.filters.dns ][main] DNS filter could not perform reverse lookup on missing field {:field=>"[outbound][dst_ip]"}
I have outbound.dst_ip with IP-address without dns-name. It's problem with all logs.
I ask for your help or advice to solve this problem.