Thanks yuphing, I've not used dnsmasq before. it worked perfectly but I'm having a little issue with my config of the dns filter. specifically this bit
reverse => [ "source_host", "field_with_address" ]
so my config reads
filter {
if [type] == "syslog" {
dns {
add_field => { "hostname" => "" }
reverse => [ "hostname", "host" ]
add_tag => [ "dns_lookup" ]
}
}
}
which results in
"message" => "<189>cli[12801]: [cli.NOTICE]: user admin: CLI exiting\n",
"@version" => "1",
"@timestamp" => "2015-06-19T15:14:12.482Z",
"type" => "syslog",
"host" => "172.20.0.161",
"tags" => [
[0] "_grokparsefailure_sysloginput"
],
"priority" => 0,
"severity" => 0,
"facility" => 0,
"facility_label" => "kernel",
"severity_label" => "Emergency"
but if I change it to
reverse => [ "host" ]
then it works perfectly, all be it not how I want...
{
"message" => "<189>cli[12944]: [cli.NOTICE]: user admin: CLI exiting\n",
"@version" => "1",
"@timestamp" => "2015-06-19T15:19:45.124Z",
"type" => "syslog",
"host" => [
[0] "172.20.0.161",
[1] "IB1"
],
"tags" => [
[0] "_grokparsefailure_sysloginput",
[1] "dns_lookup"
],
"priority" => 0,
"severity" => 0,
"facility" => 0,
"facility_label" => "kernel",
"severity_label" => "Emergency",
"hostname" => ""
}
I can't see where I'm going wrong