Good afternoon,
I am working on a Logstash filter and am in need of assitance.
Basically, I have two indexes; one is a list of known malware domains (domainlist) and another is an index of DNS queries fed by Packetbeat.
As the DNS logs hit Logstash I want LS to query ES and see if the query matches any domains listed in the "domainlist" index. If is does, I want it to add the tag "malware."
Here is what I have so far. Now, this filter simply adds the tag to all "DNS" types. How do I say "if ES query returns "true", add tag ...."
if [type] == "dns" {
elasticsearch {
hosts => "elasticsearch:9200"
index => "domainlist"
query => "domain:%{resource}"
add_tag => ["malware","malwaredomainlist.com"]
}
Thanks in advance!