Packetbeat logs filter DNS array fields


(Hans) #1

Hi All, I have requests assistance in the Packetbeat forum initially however was referred to the logstash section for assistance. Here is the link for additional information if required on the prior discussion:

What I am doing is running packetbeat on the BIND DNS server, the logs are then running through logstash followed by elasticsearch and kibana respectively. The two array fields that are causing some challenge are: dns.additionals and dns.authorities, the output look as follows respectively:
dns.additionals {
"class": "512",
"data": "",
"name": "",
"ttl": 32768,
"type": "OPT"
}
dns.answers {
"class": "IN",
"data": "23.214.151.174",
"name": "e1706.g.akamaiedge.net",
"ttl": 19,
"type": "A"
}

It looks like all information between the [] brackets are not filtered into separate fields e.g. [{"class":"512","data":"","name":"","ttl":32768,"type":"OPT"}]. in some of the responses there are also more than one response, is it possible to tag these items with e.g.
currently:
dns.additionals {
"class": "512",
"data": "",
"name": "",
"ttl": 32768,
"type": "OPT"
}

desired:
dns.additionals.class 512
dns.additionals.data
dns.additionals.name
dns.additionals.ttl 32768
dns.additionals.type OPT

Another example for the answer:
dns.answers {
"class": "IN",
"data": "217.69.139.201",
"name": "mail.ru",
"ttl": 47,
"type": "A"
},
{
"class": "IN",
"data": "94.100.180.200",
"name": "mail.ru",
"ttl": 47,
"type": "A"
},
{
"class": "IN",
"data": "94.100.180.202",
"name": "mail.ru",
"ttl": 47,
"type": "A"
},
{
"class": "IN",
"data": "217.69.139.202",
"name": "mail.ru",
"ttl": 47,
"type": "A"
}

so the same approach as above however to have the information in separate fields and to also be able to tag the dns.answers.data 217.69.139.201 with geoip information for each answer


Packetbeat-DNS index and template correction
(Hans) #2

Can Logstash filters handle the array fields or should this be done elsewhere?.


#3

Hi Hans, did you ever find a solution to this? We are facing the exact same issue
Thanks
G