Hello. I catch this issue 2nd time: DNS plugin crashes logstash (logstash service stay active, but do nothing untill restart)
In logstash log there is much errors like
[ERROR][logstash.filters.dns ] DNS: timeout on resolving the hostname.
and one last error, that crashes it:
[ERROR][logstash.pipeline ] _dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.block in retriable_request(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:255)", "org.jruby.ext.timeout.Timeout.yieldWithTimeout(org/jruby/ext/timeout/Timeout.java:177)", "org.jruby.ext.timeout.Timeout.timeout(org/jruby/ext/timeout/Timeout.java:117)", "org.jruby.ext.timeout.Timeout$INVOKER$s$timeout.call(org/jruby/ext/timeout/Timeout$INVOKER$s$timeout.gen)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.invokeOther4:timeout(usr/share/logstash/vendor/bundle/jruby/$2_dot_3_dot_0/gems/logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9/lib/logstash/filters//usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:254)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.retriable_request(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:254)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.invokeOther2:retriable_request(usr/share/logstash/vendor/bundle/jruby/$2_dot_3_dot_0/gems/logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9/lib/logstash/filters//usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:276)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.retriable_getaddress(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:276)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.invokeOther0:retriable_getaddress(usr/share/logstash/vendor/bundle/jruby/$2_dot_3_dot_0/gems/logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9/lib/logstash/filters//usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:145)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_filter_minus_dns_minus_3_dot_0_dot_9.lib.logstash.filters.dns.block in resolve(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-dns-3.0.9/lib/logstash/filters/dns.rb:145)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.lru_redux_minus_1_dot_1_dot_0.lib.lru_redux.ttl.cache.getset(/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/lru_redux-1.1.0/lib/lru_redux/ttl/cache.rb:52)",..........}
Му logstash config:
filter {
if [fields][log_file_type] == "dnslogs"
{
csv
{
columns => ["dns_request_time","source_ip","requested_domain_name","dns_server"]
}
mutate
{
# gsub =>["dns_request_time", """, ""]
gsub =>["source_ip", ",", ""]
# gsub =>["requested_domain_name", """, ""]
# gsub =>["dns_server", """, ""]
# gsub =>["requested_domain_name", """, ""]
gsub =>["requested_domain_name", ".$", ""]
}
mutate
{
add_field => {"source_hostname" => "%{source_ip}"}
#copy => { "source_ip" => "source_hostname" }
}
date
{
match => ["dns_request_time","M/d/yyyy h:mm:ss a"]
target => "@timestamp"
}
mutate
{
add_field => {"local" => "false"}
#add_field => {"subdomain"=> "nulldomain"}
#add_field => {"sld"=> "nulldomain"}
}
###
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => [ "requested_domain_name", "%{HOST:domain}" ]
}
tld
{
source => "domain"
target => "target"
}
if [requested_domain_name] =~ /(?i).*\.XXXX$/
or [requested_domain_name] =~ /(?i)^XXXX\.ru$/
or [requested_domain_name] =~ /(?i).*\.XXXX\.ru$/
or [requested_domain_name] =~ /(?i).*\.XXXX-XXXX\.ru$/
or [requested_domain_name] =~ /(?i).*\.XXXX-XXXX\.ru$/
or [requested_domain_name] =~ /(?i).*\.XXXXXXXX\.ru$/
or [requested_domain_name] =~ /(?i).+\.local$/
or [requested_domain_name] =~ /(?i)^\w+$/
{
mutate { replace => { "local" => "true" }}
}
dns
{
failed_cache_size => "2000"
failed_cache_ttl => "600"
hit_cache_size => "2000"
hit_cache_ttl => "600"
max_retries => "0"
nameserver => [ "192.168.64.253" ]
reverse => [ "source_hostname" ]
action => "replace"
#timeout => 1
}
if [local] != 'true'
{
mutate {
add_field => {"target_host" => "%{requested_domain_name}"}
add_field => {"maliciousIP" => "false"}
add_field => {"maliciousDomain" => "false"}
}
dns
{
failed_cache_size => "2000"
failed_cache_ttl => "600"
hit_cache_size => "2000"
hit_cache_ttl => "600"
max_retries => "0"
nameserver => [ "192.168.64.253" ]
resolve => [ "target_host" ]
action => "replace"
#timeout => 0.7
}
translate {
field => "[target_host]"
destination => "maliciousIP"
dictionary_path => '/etc/logstash/conf.d/ipblacklists/alien.yaml'
}
translate {
field => "[requested_domain_name]"
destination => "maliciousDomain"
dictionary_path => '/etc/logstash/conf.d/domainblacklists/malwaredomains.yaml'
}
}
}
}
Whats wrong? logstash 6.2.3