I'm wonderion how to configure a logstash pipeline that will handle my DNS logs. From that logs, there are lots of logs I don't want to see because I know they are legitimate.
So I would like to have logstash looking into the Top One Million file (Cisco Popularity List) and drop all domains that are matching this file.
The file is pretty huge, and I would like to have it very performant. Our DNS is sending more than 1k events by seconds, so it needs to be very powerfull.
Does someone has an idea how to configure this with logstash?
I would reorder the columns so that the domain name comes first, then use a translate filter to do the lookup, and drop {} the event if it gets a match.
It is working fine. The question I have, do you think that dictinnary file, who contains 1M lines can slow down my logstash servers? So far, we only add the secondary DNS server and everything is responding just fine, but when I will add the primary DNS server, this one has 3-4 time more requests by seconds.
Thank you again for your help. I was looking to someting different before you siggest me the translate plugin. I tought there was other plugins that can read CSV file.
The dictionary that translate uses is basically a Ruby hash, and the performance of that should not significantly decline as the number of entries increases.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.