How to match IP address to hostname (dns filter)

lilyyy · August 31, 2020, 4:53pm

Hi all,
I'm trying to match the IP address to hostname.
Data is json file and it is originally pcap file.

I used dns filter in logstash.conf file.

 mutate {
  add_field => { "src_hostname" => "%{[layers][ip][ip_ip_src]}" }
  add_field => { "dst_hostname" => "%{[layers][ip][ip_ip_dst]}" }
  }
 dns {
  reverse => [ "src_hostname","dst_hostname" ]
  action => "replace"
  add_tag => [ "dns_lookup" ]
   }

As a result, fields(src_hostname, dst_hostname) are created but the values are just ip address.

How can I match the IP address to host name?

Thanks.

kavierkoo · September 21, 2020, 4:00pm

Hi,

I have the same issue too,
after using nslookup to find dhcp/dns server,
I managed to solve mine by specifying nameserver.

 mutate {
     add_field => { "Hostname" => "%{Client}" }
 }

dns {
  nameserver => {
       address => ["10.0.0.3"]
     }     
   reverse => [ "Hostname" ]
   action => "replace"
}

Hope this helps your issue.

Badger · September 21, 2020, 4:26pm

A dns filter will return as soon as an element in the array fails to resolve. An issue about that has been open for years. That means that if src_hostname fails to resolve (perhaps because it is a reserved address) it will never attempt to resolve dst_hostname.

If you split the dns filter into two dns filters does dst_hostname resolve?

system · October 19, 2020, 4:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Having problem in reverse mapping of hostname to ip address using DNS filter Logstash	3	1258	September 18, 2017
How to match IP address to hostname without dns [Solved] Logstash	6	18965	July 6, 2017
DNS filter not working Logstash	5	5696	April 28, 2017
DNS filter couldn't perform reverse lookup Logstash	4	1133	June 1, 2020
Logstash IP to Hostname Logstash	3	5443	August 10, 2017

How to match IP address to hostname (dns filter)

Related Topics