Filebeat Reverse DNS

Hi there,

Can anyone tell what I´m doing wrong with this configuration?

processors:
- dns:
    type: reverse
    action: replace
    fields:
      source.ip: source.ip
      destination.ip: destination.ip

Keep receiving _dns_reverse_lookup_failed

Tks

Could you run Filebeat with the -d"*" command-line flag or after setting logging.level: debug in your filebeat.yml? Then please post the Filebeat log lines around the error you're seeing. Maybe they will give us some hints as to what's happening.

Thanks,

Shaunak

@shaunak follow the debug log:

Jul 09 17:10:00 srvflow filebeat[16856]: 2020-07-09T17:09:51.208-0300        DEBUG        [processor.dns]        dns/dns.go:85        DNS processor failed: reverse lookup of source.ip value '192.168.1.57' failed: dns: nameserver XX.XX.XX.X:53 returned NXDOMAIN (from failure cache)        {"instance_id": 1}
Jul 09 17:10:00 srvflow filebeat[16856]: 2020-07-09T17:09:51.208-0300        DEBUG        [processors]        processing/processors.go:187        Publish event: {
Jul 09 17:10:00 srvflow filebeat[16856]: "@timestamp": "2020-07-09T20:07:30.000Z",
Jul 09 17:10:00 srvflow filebeat[16856]: "@metadata": {
Jul 09 17:10:00 srvflow filebeat[16856]: "beat": "filebeat",
Jul 09 17:10:00 srvflow filebeat[16856]: "type": "_doc",
Jul 09 17:10:00 srvflow filebeat[16856]: "version": "7.8.0",
Jul 09 17:10:00 srvflow filebeat[16856]: "pipeline": "filebeat-7.8.0-netflow-log-pipeline"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "related": {
Jul 09 17:10:00 srvflow filebeat[16856]: "ip": [
Jul 09 17:10:00 srvflow filebeat[16856]: "192.168.1.57",
Jul 09 17:10:00 srvflow filebeat[16856]: "192.168.1.14"
Jul 09 17:10:00 srvflow filebeat[16856]: ]
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "netflow": {
Jul 09 17:10:00 srvflow filebeat[16856]: "source_transport_port": 53375,
Jul 09 17:10:00 srvflow filebeat[16856]: "icmp_type_ipv4": 0,
Jul 09 17:10:00 srvflow filebeat[16856]: "responder_packets": 1,
Jul 09 17:10:00 srvflow filebeat[16856]: "egress_interface": 3,
Jul 09 17:10:00 srvflow filebeat[16856]: "flow_start_milliseconds": "2020-07-09T20:07:30.129Z",
Jul 09 17:10:00 srvflow filebeat[16856]: "type": "netflow_flow",
Jul 09 17:10:00 srvflow filebeat[16856]: "fw_ext_event": 2022,
Jul 09 17:10:00 srvflow filebeat[16856]: "exporter": {
Jul 09 17:10:00 srvflow filebeat[16856]: "uptime_millis": 2421721986,
Jul 09 17:10:00 srvflow filebeat[16856]: "address": "192.168.1.52:48693",
Jul 09 17:10:00 srvflow filebeat[16856]: "source_id": 0,
Jul 09 17:10:00 srvflow filebeat[16856]: "version": 9,
Jul 09 17:10:00 srvflow filebeat[16856]: "timestamp": "2020-07-09T20:07:30.000Z"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "post_napt_source_transport_port": 53375,
Jul 09 17:10:00 srvflow filebeat[16856]: "icmp_code_ipv4": 0,
Jul 09 17:10:00 srvflow filebeat[16856]: "firewall_event": 5,
Jul 09 17:10:00 srvflow filebeat[16856]: "ingress_interface": 39,
Jul 09 17:10:00 srvflow filebeat[16856]: "protocol_identifier": 17,
Jul 09 17:10:00 srvflow filebeat[16856]: "observation_time_milliseconds": "2020-07-09T20:07:30.139Z",
Jul 09 17:10:00 srvflow filebeat[16856]: "post_nat_destination_ipv4_address": "192.168.200.14",
Jul 09 17:10:00 srvflow filebeat[16856]: "initiator_packets": 0,
Jul 09 17:10:00 srvflow filebeat[16856]: "post_napt_destination_transport_port": 53,
Jul 09 17:10:00 srvflow filebeat[16856]: "responder_octets": 436,
Jul 09 17:10:00 srvflow filebeat[16856]: "source_ipv4_address": "192.168.1.57",
Jul 09 17:10:00 srvflow filebeat[16856]: "destination_ipv4_address": "192.168.1.14",
Jul 09 17:10:00 srvflow filebeat[16856]: "post_nat_source_ipv4_address": "192.168.1.57",
Jul 09 17:10:00 srvflow filebeat[16856]: "flow_id": 1429137171,
Jul 09 17:10:00 srvflow filebeat[16856]: "destination_transport_port": 53,
Jul 09 17:10:00 srvflow filebeat[16856]: "initiator_octets": 0
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "input": {
Jul 09 17:10:00 srvflow filebeat[16856]: "type": "netflow"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "network": {
Jul 09 17:10:00 srvflow filebeat[16856]: "transport": "udp",
Jul 09 17:10:00 srvflow filebeat[16856]: "iana_number": 17,
Jul 09 17:10:00 srvflow filebeat[16856]: "bytes": 436,
Jul 09 17:10:00 srvflow filebeat[16856]: "packets": 1,
Jul 09 17:10:00 srvflow filebeat[16856]: "direction": "unknown",
Jul 09 17:10:00 srvflow filebeat[16856]: "community_id": "1:wGhBmj/vcEvlmkt4p4ottjBxeBw="
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "event": {
Jul 09 17:10:00 srvflow filebeat[16856]: "kind": "event",
Jul 09 17:10:00 srvflow filebeat[16856]: "category": [
Jul 09 17:10:00 srvflow filebeat[16856]: "network_traffic",
Jul 09 17:10:00 srvflow filebeat[16856]: "network"
Jul 09 17:10:00 srvflow filebeat[16856]: ],
Jul 09 17:10:00 srvflow filebeat[16856]: "action": "netflow_flow",
Jul 09 17:10:00 srvflow filebeat[16856]: "type": [
Jul 09 17:10:00 srvflow filebeat[16856]: "connection"
Jul 09 17:10:00 srvflow filebeat[16856]: ],
Jul 09 17:10:00 srvflow filebeat[16856]: "module": "netflow",
Jul 09 17:10:00 srvflow filebeat[16856]: "dataset": "netflow.log",
Jul 09 17:10:00 srvflow filebeat[16856]: "created": "2020-07-09T20:07:30.000Z"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "flow": {
Jul 09 17:10:00 srvflow filebeat[16856]: "id": "KFYkViA4Yw4",
Jul 09 17:10:00 srvflow filebeat[16856]: "locality": "private"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "host": {
Jul 09 17:10:00 srvflow filebeat[16856]: "name": "srvflow"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "agent": {
Jul 09 17:10:00 srvflow filebeat[16856]: "version": "7.8.0",
Jul 09 17:10:00 srvflow filebeat[16856]: "hostname": "srvflow",
Jul 09 17:10:00 srvflow filebeat[16856]: "ephemeral_id": "45b4267a-190a-41ac-8e86-73b463d37d6c",
Jul 09 17:10:00 srvflow filebeat[16856]: "id": "1e79a616-61ab-4a3c-ab7a-006b522cecd9",
Jul 09 17:10:00 srvflow filebeat[16856]: "name": "srvflow",
Jul 09 17:10:00 srvflow filebeat[16856]: "type": "filebeat"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "source": {
Jul 09 17:10:00 srvflow filebeat[16856]: "packets": 0,
Jul 09 17:10:00 srvflow filebeat[16856]: "ip": "192.168.1.57",
Jul 09 17:10:00 srvflow filebeat[16856]: "locality": "private",
Jul 09 17:10:00 srvflow filebeat[16856]: "port": 53375,
Jul 09 17:10:00 srvflow filebeat[16856]: "bytes": 0
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "destination": {
Jul 09 17:10:00 srvflow filebeat[16856]: "locality": "private",
Jul 09 17:10:00 srvflow filebeat[16856]: "port": 53,
Jul 09 17:10:00 srvflow filebeat[16856]: "bytes": 436,
Jul 09 17:10:00 srvflow filebeat[16856]: "packets": 1,
Jul 09 17:10:00 srvflow filebeat[16856]: "ip": "192.168.1.14"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "observer": {
Jul 09 17:10:00 srvflow filebeat[16856]: "ip": "192.168.1.13"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "fileset": {
Jul 09 17:10:00 srvflow filebeat[16856]: "name": "log"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "service": {
Jul 09 17:10:00 srvflow filebeat[16856]: "type": "netflow"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "ecs": {
Jul 09 17:10:00 srvflow filebeat[16856]: "version": "1.5.0"
Jul 09 17:10:00 srvflow filebeat[16856]: },
Jul 09 17:10:00 srvflow filebeat[16856]: "tags": [
Jul 09 17:10:00 srvflow filebeat[16856]: "_dns_reverse_lookup_failed"
Jul 09 17:10:00 srvflow filebeat[16856]: ]
Jul 09 17:10:00 srvflow filebeat[16856]: }

Results of reverse dns on the same server using dig:

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> -x 192.168.1.57
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9144
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;57.1.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
57.1.168.192.in-addr.arpa. 1200 IN    PTR     srvnet.contoso.com.

;; Query time: 1 msec
;; SERVER: 10.55.43.6#53(10.55.43.6)
;; WHEN: Fri Jul 10 08:45:54 -03 2020
;; MSG SIZE  rcvd: 98

Thanks for the attention.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.