Hi, Amazing ElasticSearch Community!
English is my second language and I apologize in advance)))
I have a problem with filter in logstash "netflow.conf" file.
I collect the netflow data from my network devices, and I want to have the dns names src and dst hosts. I found that this can be done with plug-ins for logstash "filter-dns" and "filter-mutate". I installed these plugins and now I have this version:
localhost:/usr/share/logstash/bin# ./logstash-plugin list --verbose logstash-filter-dns
logstash-filter-dns (3.0.10)
localhost:/usr/share/logstash/bin# ./logstash-plugin list --verbose logstash-filter-mutate
logstash-filter-mutate (3.3.2)
I wrote the file netflow.conf and looks like this:
input {
udp {
port => 9996
type => "netflow"
codec => netflow {
versions => [5,9,10]
}
}
}
filter{
if [netflow][dst_addr] {
mutate {
add_field => { "[netflow][dst_hostname]" => "%{[netflow][dst_addr]}"}
}
dns {
reverse => [ "[netflow][dst_hostname]" ]
action => "replace"
nameserver => [ "my dns server" ]
hit_cache_size => 4096
hit_cache_ttl => 900
failed_cache_size => 512
failed_cache_ttl => 900
}
}
}
output {
if [type] == "netflow" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "netflow-%{+YYYY.MM.dd}"
}
}
}
But this configuration doesn't work((((
I checked that I have a normal server response time:
# curl -w '\nlookup time:\t%{time_namelookup}\n' -o /dev/null -s http://www.google.com
lookup time: 0.028513
In logs file i don't have any problems with filters.dns:
# cat /var/log/logstash/logstash-plain.log | grep filters.dns
#
Please help me somebody!
P.S. Netflow working perfect