How to match IP address to hostname (dns filter)

lilyyy · August 31, 2020, 4:58pm

Hi all,
I'm trying to match the IP address to hostname.
Data is json file and it is originally pcap file.

I used dns filter in logstash.conf file.

 mutate {
  add_field => { "src_hostname" => "%{[layers][ip][ip_ip_src]}" }
  add_field => { "dst_hostname" => "%{[layers][ip][ip_ip_dst]}" }
  }
 dns {
  reverse => [ "src_hostname","dst_hostname" ]
  action => "replace"
  add_tag => [ "dns_lookup" ]
   }

As a result, fields(src_hostname, dst_hostname) are created but the values are just ip address.

How can I match the IP address to host name?

Thanks.

kavierkoo · September 21, 2020, 4:00pm

Hi,

I have the same issue too,
after using nslookup to find dhcp/dns server,
I managed to solve mine by specifying nameserver.

 mutate {
     add_field => { "Hostname" => "%{Client}" }
 }

dns {
  nameserver => {
       address => ["10.0.0.3"]
     }     
   reverse => [ "Hostname" ]
   action => "replace"
}

Hope this helps your issue.

Badger · September 21, 2020, 4:26pm

A dns filter will return as soon as an element in the array fails to resolve. An issue about that has been open for years. That means that if src_hostname fails to resolve (perhaps because it is a reserved address) it will never attempt to resolve dst_hostname.

If you split the dns filter into two dns filters does dst_hostname resolve?

system · October 19, 2020, 4:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.