Filebeat haproxy with dns processor

elasticforme · May 11, 2022, 7:43pm

I have succssfully send haproxy log to Elasticsearch using filebeat.
next step I am trying to do is to change destination.ip and source.ip to name

but I don't think I am using dns processor correctly. I am not getting this source.hostname field.
I do get source.ip field. dns servers are correct. I can resolve the IP to name from prompt on same machine.

what am I doing wrong?

here is my haproxy.yml file

- module: haproxy
  # All logs
  log:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input: "file"

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/haproxy-traffic.log"]

  processors:
  - dns:
      type: reverse
       fields:
          source.ip: source.hostname
       nameservers: ['10.59.240.246', '10.167.17.40']
       timeout: 5000ms
       tag_on_failure: [_dns_reverse_lookup_failed]

legoguy1000 · May 12, 2022, 12:30am

What version of filebeat? I'm pretty sure the source.ip field doesn't exist yet as most of the processing exists within the Elasticsearch ingest pipelines, not filebeat.

elasticforme · May 12, 2022, 3:58pm

Version 7.17.1
yes source.ip exist I can see it in discover.

legoguy1000 · May 12, 2022, 4:20pm

Yes but its being created in Elasticsearch, after leaving filebeat so the filebeat processor won't work.

elasticforme · May 12, 2022, 8:47pm

no it is not being created in Elasticsearch.

this is part of the metric that haproxy log has
and I want to convert or add source.name as source.ip is coming from log file.

legoguy1000 · May 12, 2022, 9:04pm

You misunderstand, the log from HAProxy isn't parsed into individual fields until it reaches Elasticsearch. Here is the grok processor in the ingest pipeline that does it, beats/pipeline.yml at v7.17.1 · elastic/beats · GitHub. source.ip isn't created until beats/pipeline.yml at v7.17.1 · elastic/beats · GitHub. When u add the processor to filebeat it fails because source.ip field doesn't exist yet.

elasticforme · May 16, 2022, 1:04pm

ohhh now i see what you mean.

elasticforme · May 16, 2022, 6:02pm

how do I convert that yml file to ingest pipeline?

is there a simple command that convert whole thing?

https://github.com/elastic/beats/blob/v7.17.1/filebeat/module/haproxy/log/ingest/pipeline.yml#L7

legoguy1000 · May 17, 2022, 12:03pm

What do u mean? When u enable the module and run the setup command, it gets loaded into Elasticsearch for you.

elasticforme · May 17, 2022, 12:56pm

yes I found it. Thanks

system · June 14, 2022, 2:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Haproxy + TCP + Provided Grok expressions do not match field value Beats filebeat	1	403	February 22, 2023
Change index name within filebeats module file Beats filebeat	2	189	July 21, 2023
How to use processors in filebeat HAproxy's module? Beats filebeat	8	2998	February 23, 2020
Filebeat: DNS lookup error for ip Beats	2	6111	April 27, 2017
Haproxy module with master version Beats filebeat	3	976	October 11, 2018

Filebeat haproxy with dns processor

Related Topics