Dns Indexing Problem

harrunisk · February 18, 2018, 11:41am

Hi all.
I am trying to do this example. Packetbeat can capture traffic but there is indexing problem about dns. I have already installed elasticsearch, kibana, x-pack, packetbeat and logstash. I haven't configured logstash because we are not using it in this example. I have installed ingest processor as well. I don't have any authentication problem.
curl localhost:9200/packetbeat-*/_refresh -u elastic:changeme
{"_shards":{"total":30,"successful":15,"failed":0}}

curl localhost:9200/packetbeat-*/_count -u elastic:changeme
{"count":1477,"_shards":{"total":15,"successful":15,"skipped":0,"failed":0}}
Above answer means that packetbeat can capture traffic and sends to Elasticsearch.

curl localhost:9200/packetbeat-*/dns/_count -u elastic:changeme
{"count":0,"_shards":{"total":15,"successful":15,"skipped":0,"failed":0}}
I don't have any dns index.

My packetbeat.yml

packetbeat.interfaces.device: enp3s0
packetbeat.protocols.dns:
ports: [53]
include_authorities: true
include_additionals: true
name: test
output.elasticsearch:
hosts: ["localhost:9200"]
protocol: "https"
username: "elastic"
password: "changeme"
pipeline: "extract_subdomain"
logging.selectors: ["*"]

Thank you for your helps in advance.

Christian_Dahlqvist · February 18, 2018, 12:37pm

Which version of Elasticsearch and Packetbeat are you using?

harrunisk · February 18, 2018, 1:33pm

packetbeat version 6.2.1 (amd64), libbeat 6.2.1

Elastic search
{
"name" : "jKGZwsu",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "Q0VREhc1SpKye_PG4ssm8w",
"version" : {
"number" : "6.2.0",
"build_hash" : "37cdac1",
"build_date" : "2018-02-01T17:31:12.527918Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}

Christian_Dahlqvist · February 18, 2018, 1:47pm

In Elasticsearch 6.x, only a single type is allowed per index. Packetbeat therefore indexes all documents as type doc and instead use a field called type to distinguish between different types of traffic. In your last count query you are looking for documents with the document type dns, which is why you're not getting any hits. Instead try something like this:

curl -XGET 'localhost:9200/packetbeat-*/_count?pretty' -u elastic:changeme -H 'Content-Type: application/json' -d'
{
    "query" : {
        "term" : { "type" : "dns" }
    }
}'

harrunisk · February 18, 2018, 2:19pm

{
  "count" : 691,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  }
}
    {
  "count" : 691,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "skipped" : 0,
    "failed" : 0
  }
}

thanks for your help

system · March 18, 2018, 2:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[ES5.1.2] Help with Detecting DNS Tunnels with PacketBeat+Watcher Beats packetbeat	9	1784	April 8, 2017
Packetbeat-DNS index and template correction Beats packetbeat	7	2586	June 22, 2016
Detect DNS tunneling Beats packetbeat	15	2992	July 5, 2017
DNS Lookup from packetbeat Elasticsearch	3	422	July 15, 2018
Packetbeat appears to be adding DNS packets that were not really sent Beats packetbeat	2	591	July 6, 2020

Dns Indexing Problem

Related topics