HI all, I am struggling to get the correct information into Elasticsearch. I am using BIND DNS server running Packetbeats direct output to logstash, thereafter to elasticsearch and Kibana. The two fields that are causing some challenge are: dns.additionals and dns.authorities, the output look as follows respectively:
dns.additionals {
"class": "512",
"data": "",
"name": "",
"ttl": 32768,
"type": "OPT"
}
dns.answers {
"class": "IN",
"data": "23.214.151.174",
"name": "e1706.g.akamaiedge.net",
"ttl": 19,
"type": "A"
}
So it looks like there is a filed not split however not sure where the challenge is, in the logstash filter or the elasticsearch index template? Here is the configuration for logstash:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
Any assistance will be truly appreciated.