Hi Guys,
Somehow my packetbeat plugin is not working which is installed on my DNS server and is forced to capture DNS packets
How Can I troubleshoot further?
packetbeat.interfaces.device: eth0
packetbeat.flows:
Set network flow timeout. Flow is killed if no packet is received before being
timed out.
timeout: 30s
Configure reporting period. If set to -1, only killed flows will be reported
period: 10s
packetbeat.protocols.dns:
Configure the ports where to listen for DNS traffic. You can disable
the DNS protocol by commenting out the list of ports.
ports: [53]
packetbeat.sh -e -d "publish"
2017/10/01 01:48:35.597573 beat.go:297: INFO Home path: [/usr/share/packetbeat] Config path: [/etc/packetbeat] Data path: [/var/lib/packetbeat] Logs path: [/var/log/packetbeat]
2017/10/01 01:48:35.597617 beat.go:192: INFO Setup Beat: packetbeat; Version: 5.6.2
2017/10/01 01:48:35.597698 logstash.go:90: INFO Max Retries set to: 3
2017/10/01 01:48:35.597760 outputs.go:108: INFO Activated logstash as output plugin.
2017/10/01 01:48:35.597774 publish.go:243: DBG Create output worker
2017/10/01 01:48:35.597832 publish.go:285: DBG No output is defined to store the topology. The server fields might not be filled.
2017/10/01 01:48:35.597860 publish.go:300: INFO Publisher name: PrimaryDNS
2017/10/01 01:48:35.598332 async.go:63: INFO Flush Interval set to: 1s
2017/10/01 01:48:35.598364 async.go:64: INFO Max Bulk Size set to: 2048
2017/10/01 01:48:35.598383 async.go:72: DBG create bulk processing worker (interval=1s, bulk size=2048)
2017/10/01 01:48:35.598507 procs.go:79: INFO Process matching disabled
2017/10/01 01:48:35.598649 protos.go:89: INFO registered protocol plugin: thrift
2017/10/01 01:48:35.598663 protos.go:89: INFO registered protocol plugin: amqp
2017/10/01 01:48:35.598670 protos.go:89: INFO registered protocol plugin: cassandra
2017/10/01 01:48:35.598675 protos.go:89: INFO registered protocol plugin: memcache
2017/10/01 01:48:35.598681 protos.go:89: INFO registered protocol plugin: mongodb
2017/10/01 01:48:35.598687 protos.go:89: INFO registered protocol plugin: mysql
2017/10/01 01:48:35.598693 protos.go:89: INFO registered protocol plugin: pgsql
2017/10/01 01:48:35.598698 protos.go:89: INFO registered protocol plugin: redis
2017/10/01 01:48:35.598704 protos.go:89: INFO registered protocol plugin: dns
2017/10/01 01:48:35.598710 protos.go:89: INFO registered protocol plugin: http
2017/10/01 01:48:35.598715 protos.go:89: INFO registered protocol plugin: nfs
2017/10/01 01:48:35.601734 beat.go:233: INFO packetbeat start running.
2017/10/01 01:48:35.617639 metrics.go:23: INFO Metrics logging every 30s
2017/10/01 01:48:36.195021 publish.go:191: DBG normalize address for: {"@timestamp":"2017-10-01T01:48:36.193Z","bytes_in":50,"bytes_out":117,"dns":{"additionals_count":0,"answers_count":0,"authorities":[{"class":"IN","data":"nsa.online.net.","expire":604800,"minimum":14400,"name":"poneytelecom.eu.","refresh":14400,"retry":3600,"rname":"dnsmaster.te-dns.net.","serial":2016031701,"ttl":"36","type":"SOA"}],"authorities_count":1,"flags":{"authentic_data":false,"authoritative":false,"checking_disabled":false,"recursion_available":true,"recursion_desired":true,"truncated_response":false},"id":11933,"op_code":"QUERY","question":{"class":"IN","etld_plus_one":"poneytelecom.eu.","name":"62-210-11-50.rev.poneytelecom.eu.","type":"A"},"response_code":"NXDOMAIN"},"dst":{"IP":"172.16.3.15","Port":53,"Name":"","Cmdline":"","Proc":""},"method":"QUERY","query":"class IN, type A, 62-210-11-50.rev.poneytelecom.eu.","resource":"62-210-11-50.rev.poneytelecom.eu.","responsetime":0,"src":{"IP":"172.16.3.10","Port":46623,"Name":"","Cmdline":"","Proc":""},"status":"Error","transport":"udp","type":"dns"}
2017/10/01 01:48:36.195041 publish.go:195: DBG has src: true
2017/10/01 01:48:36.195057 publish.go:219: DBG has dst: true
2017/10/01 01:48:36.195218 client.go:214: DBG Publish: {
"@timestamp": "2017-10-01T01:48:36.193Z",
"beat": {
"hostname": "dns.xxxxx.com",
"name": "PrimaryDNS",
"version": "5.6.2"
},
"bytes_in": 50,
"bytes_out": 117,
"client_ip": "172.16.3.10",
"client_port": 46623,
"client_proc": "",
"client_server": "",
"direction": "in",
"dns": {
"additionals_count": 0,
"answers_count": 0,
"authorities": [
{
"class": "IN",
"data": "nsa.online.net.",
"expire": 604800,
"minimum": 14400,
"name": "poneytelecom.eu.",
"refresh": 14400,
"retry": 3600,
"rname": "dnsmaster.te-dns.net.",
"serial": 2016031701,
"ttl": "36",
"type": "SOA"
}
],
"authorities_count": 1,
"flags": {
"authentic_data": false,
"authoritative": false,
"checking_disabled": false,
"recursion_available": true,
"recursion_desired": true,
"truncated_response": false
},
"id": 11933,
"op_code": "QUERY",
"question": {
"class": "IN",
"etld_plus_one": "poneytelecom.eu.",
"name": "62-210-11-50.rev.poneytelecom.eu.",
"type": "A"
},
"response_code": "NXDOMAIN"
},
"ip": "172.16.3.15",
"method": "QUERY",
"port": 53,
"proc": "",
"query": "class IN, type A, 62-210-11-50.rev.poneytelecom.eu.",
"resource": "62-210-11-50.rev.poneytelecom.eu.",
"responsetime": 0,
"server": "",
"status": "Error",
"tags": [
"PrimaryDNS",
"DNS"
],
"transport": "udp",
"type": "dns"
}