Hello All,
I setup an ELK Stack with the latest version of logstash 6.2.2 on Ubuntu 17.10. The setup went ok i have netflow records in my Kibana dashboard and most everything seems to be working properly. The only issue I am stumped on is making the DNS filter work to resolve 1 field in my netflow data. It seems the fields from mutate just never appear anywhere in Kibana. Any help would be greatly appreciated as I have been working on this the last week trying so many solutions. Thank you!
netflow.conf in /etc/logstash/conf.d directory
input {
udp {
port => 9991
codec => netflow
}
}
filter {
mutate {
add_field => { "dst_host" => "%{[netflow][dst_addr]}" }
}
dns {
# DNS Filter
reverse => [ "dst_host" ]
action => "replace"
nameserver => [ "10.0.100.8" ]
hit_cache_size => 4096
hit_cache_ttl => 900
failed_cache_size => 512
failed_cache_ttl => 900
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}
logstash.yml
modules:
- name: netflow
var.input.udp.port: 9991