iukea
August 12, 2019, 3:43pm
1
Hello,
I am running logstash 6.8
I am taking all Src_Ip addresses and doing a reverse DNS lookup through the DNS plugin in logstash.
Logstash YML
if [src_ip] {
mutate {
add_field => {"DNS_Name" => "%{src_ip}"}
}
dns {
reverse => ["DNS_Name"]
action => "replace"
}
}
is there any way for if the IP address does not resolve back to a hostname for that field "DNS_Name" to be blank?
example dropping the field names DNS field name from 31.184.249.177 because it is not resolving to anything.
Badger
August 12, 2019, 3:47pm
2
Compare the src_ip and DNS_Name fields and mutate the DNS_Name if it is equal to the src_ip?
iukea
August 12, 2019, 4:18pm
3
could you give me an example of that. i am getting my butt handed to me by logstash
Badger
August 12, 2019, 4:23pm
4
The comparison would just be
if [src_ip] == [DNS_Name] {
If you want to delete the field then
mutate { remove_field => [ "DNS_Name" ] }
or if you want it to be an empty string
mutate { replace => { "DNS_Name" => "" } }
iukea
August 12, 2019, 4:45pm
5
mmmmm
changed the yml to
if [src_ip] == [DNS_Name] {
mutate {
add_field => {"DNS_Name" => "%{src_ip}"}
}
mutate { replace => { "DNS_Name" => "" } }
dns {
reverse => ["DNS_Name"]
action => "replace"
}
}
I now I think i broke it
Badger
August 12, 2019, 5:31pm
6
dns {
reverse => ["DNS_Name"]
action => "replace"
}
if [src_ip] == [DNS_Name] {
mutate { replace => { "DNS_Name" => "" } }
}
system
September 9, 2019, 7:02pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
