I currently push packetbeat logs from hosts directly to elasticsearch with a geo-pipeline. I want to migrate this compute load to a dedicated logstash pipeline. Stack is running at 7.7.1.
I need help with:
Geo-Pipeline configuration using GeoMind DB.
DNS configuration assistance as I am getting PTR hits on my recurssive DNS servers and there are no resolutions. Example:
Hi Thank you for the reply. I am trying to get hostnames (if published) of IP addresses that the endpoint is trying to connect to. So a reverse DNS lookup. The parameter for the same would be "resolve", & hence I reckon my configuration is correct?: Instead of using my own DNS server (unbound), I am changing the IP to 9.9.9.9. Lets see if that fixes the PTR issue.
I changed the configuration but I am still seeing PTR record request such as 45.247.250.180.in-addr.arpa.
It should be doing a reverse lookup and for the IP, there is no hostname defined. I am not suspecting my DNS server and the way it handles PTR requests. Also is the appending of .in.addr.arpa correct?
you could try asking your dns server for PTR records of the said IP (using nslookup or dig) and compare the DNS server answer vs the result you get logstash though I doubt it will be different provided the config is correct.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.