is there a way I can convert all IP that are getting register in to elasticsearch as name?
I am just using regular packetbeat configuration and outputting straight to elasticsearch
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["elktst10:9200"]Hi @elasticforme,
You can configure the same in below formats and host should be reachable.
Examples:
output.elasticsearch:
hosts: ["https://localhost:9200"]
output.elasticsearch:
hosts: ["localhost"]
output.elasticsearch:
hosts: ["http://localhost:9200"]
Please do let me know in case of an query in this regard.
Regards,
Harsh Bajaj
Sorry Harsh, I didn't put my question properly
all the data I get from packetbeat has IP addresses
I would like that to convert to Name and then put it in elasticsearch
is that possible?
You cannot directly replace IP addresses with names because fields like source.ip and destination.ip can only contain IP addresses due to how they have been defined in Elasticsearch.
You could use source.domain and destination.domain to hold the names. Then you can optionally delete the IP fields.
How do you want to map the IPs to names? Like is this data coming from a reverse DNS lookup? Or a static table?
I was just woundering if there is any dns filter which can convert this IP to name
for example each event will have source.id and destination.id
and I can do lookup for that IP and save that name.
replacement is not required but can create source.host and destination.host.
I show this filter on documentation but didn't made any sense on how to use it.
filter {
dns {
reverse => [ "source_host", "field_with_address" ]
resolve => [ "field_with_fqdn" ]
action => "replace"
}
}
is that telling me that when I run packetbet I have to send data to logstash rather then elasticsearch and then process this part?
Beats have some built-in processors that you can use. Specifically for this use case there is a dns processor that does reverse lookups.
processors:
- dns:
type: reverse
fields:
source.ip: source.domain
destination.ip: destination.domain
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.