I have just set up elasticsearch with kibana and I am currently sending packetbeat data from one of my servers directly to elasticsearch, not using logstash and a plain packetbeat config.
The data is being shown perfectly and can see the source ip and destination port information that I need but I would like to do a DNS lookup on the IP address so I can see the hostnames to make the dashboard I am trying to build more user friendly / management ready.
Is this possible with just using packetbeat and elasticsearch or do I need to send the data through logstash to have the dns processed?
You would need to send events to Logstash and then use the DNS filter to do this, but it's possible.
What is curious is that for socket data provided by the metricbeat system module there is the option to do reverse lookups:
socket: reverse_lookup: enabled: true success_ttl: 900s failure_ttl: 900s
That this is available in Metricbeat and not Packetbeat is just another of the inconsistencies in Beats.
I would definitely recommend sending the Beats data to Logstash to be transformed into a more usable form and further enriched (alternatively you could send it to Kafka and write Streams API apps to fix the data). Doing so will allow you to extract a lot more value from the data than is possible with the out-of-the-box schema.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.