Logstash Filter - Possibility to exec shell commands?


(Horst Birne) #1

Hi guys,

i wanted to asked quickly if it is possible in logstash to execute a shell/bash command in the processing line of an event.

Background:

We wanted to add an field in our events, where an ip address get matched to the corresponding dns name.
So far i used the "Resolv.getname" ruby function to solve that problem, unfortunately this only performs an lookup in the reverse lookup zone of the dns server - if there is no ptr entry, this will not return the hostname.

While this is working for many of the ip addresses, a big bunch of them dont have an ptr entry at the dns server, so whats required is an forward lookup to still get the hostname of the device.

Looking at google, i didnt find any ruby gems that provide such an function, but i got an shell command "nmblookup -A" that would do the job quite good.

Can i somehow implement this in logstash to use this command at the time, an event get processed?

Thanks


(Magnus Bäck) #2

While this is working for many of the ip addresses, a big bunch of them dont have an ptr entry at the dns server, so whats required is an forward lookup to still get the hostname of the device.

A forward lookup of an IP address? What do you mean? Does your IP address field sometimes contain a hostname? Or you want NetBIOS lookups rather than DNS lookups?


(Horst Birne) #3

Im sorry if i didnt asked an clear question - yes what the shell command do is to perform an NetBIOS lookup.

The IP address field only contains ip addresses.


(Magnus Bäck) #4

Apart from writing a custom plugin you can probably use a ruby filter that runs nmblookup and scrapes the result.


(Horst Birne) #5

Because i didnt find an netbios ruby gem , i decided to use the following code:

ruby {
code => " ip = event['src']
begin
event['hostname'] = nmblookup -A #{ip} & WPID=$!; sleep 0.1 && kill $WPID > /dev/null 2>&1
rescue => ex
event['hostname'] = 'unkown'
end
"
}
}

The just tell ruby to exec the given command in an shell, the command itself runs an netbios name lookup relativ to the given ip.

Maybe this could help other guys.


(system) #6