Dns log parsing and display in Kibana

rossw · July 29, 2020, 3:04am

I think there is an error in the way that Packetbeat (7.8) parses DNS logs, and/or the way that Kibana displays them.
If I have a host 1.1.1.1 that sends a dns request for microsoft.com to the DNS server 2.2.2.2, and packetbeat is running on 3.3.3.3 (hostname Sensor) with a span port that sees the DNS request.
When packetbeat parses the DNS packet, it populates the host.name ECS field with the name of the machine that is running the packetbeat instance. When this gets displayed by Kibana, the display processor uses the field host.name to populate the display such that it reads:
Sensor asked for microsoft.com with question type A blah blah blah and further on it displays source and destination, and these are correctly shown as 1.1.1.1 and 2.2.2.2 respectively.
What I would have expected is:
1.1.1.1 asked for microsoft.com with question type A
Is this an issue with Packetbeat not filling in the host.name field correctly, or Kibana not visualising the request properly.

Ross

andrewkroh · July 29, 2020, 11:20am

Packetbeat always populates host.name with the name of the host it's running on. You can update your configuration drop this field. You can apply the config from this change https://github.com/elastic/beats/pull/20309.

tags: [forwarded]

processors:
  - # Add forwarded to tags when processing data from a network tap or mirror.
    if.contains.tags: forwarded
    then:
      - drop_fields:
          fields: [host]
    else:
      - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

rossw · July 29, 2020, 9:00pm

Perfect, thanks

system · August 26, 2020, 11:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.