Packet beat Reverse DNS lookup not working properly

Elastic Stack Beats
1

Hi,

following are configuration of packetbeat for Reverse DNS lookup

processors:

  • dns:
    type: reverse
    action: append
    fields:
    server.ip: server.hostname
    client.ip: client.hostname
    success_cache:
    capacity.initial: 1000
    capacity.max: 10000
    failure_cache:
    capacity.initial: 1000
    capacity.max: 10000
    ttl: 1m
    nameservers: ['ip_addres']
    timeout: 500ms
    tag_on_failure: [_dns_reverse_lookup_failed]

But i have no clarity what should i mention in below field

server.ip: server.hostname
client.ip: client.hostname

I have referring following document for same but its not giving clarity to me.
https://www.elastic.co/guide/en/beats/filebeat/master/processor-dns.html

2

Can you please format your configuration using the </> button so it's easier to tell how it is indented?

Which version of Packetbeat are you using?

The dns processor with type: reverse (currently the only supported type) will take a field whose value is an IP and perform a reverse DNS query to obtain the domain that resolves to that IP.

The fields mapping here will take each source IP field (server.ip and client.ip in this example) and resolve each IP storing the resulting domain in the mapped field (server.hostname and client.hostname, respectively).

When you say it doesn't work, do you mean that the hostname fields are not being created, or are you getting an error?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.