Hey
filebeat version 8.0.1
I'm suspecting a problem with using multiple namespaces for the DNS processor.
My config looks like this (with dummy ip addresses, and I was testing with a low ttl in failure_cache):
- dns:
type: reverse
fields:
log.source.ip: log.source.hostname
failure_cache:
ttl: 2s
nameservers: ['1.2.3.4', '5.6.7.8']
timeout: 200ms
tag_on_failure: [_dns_reverse_lookup_failed]
My log shows that the config is parsed:
Jun 08 15:29:06 xxx filebeat[2323040]: {"log.level":"debug","@timestamp":"2022-06-08T15:29:06.680+0200","log.logger":"processor.dns","log.origin":{"file.name":"dns/dns.go","file.line":67},"message"
:"DNS processor config: {CacheConfig:{SuccessCache:{TTL:0s MinTTL:1m0s InitialCapacity:1000 MaxCapacity:10000} FailureCache:{TTL:2s MinTTL:1m0s InitialCapacity:1000 MaxCapacity:10000}} Nameservers:[1.2.3.4 5.6.7.8] Timeout:200ms Type:reverse Action:append TagOnFailure:[_dns_reverse_lookup_failed] Fields:{\"log\":{\"source\":{\"ip\":\"log.source.hostname\"}}} Transport:udp reverseFlat:map[log.source.ip:log.source.hostname]}","s
ervice.name":"filebeat","instance_id":1,"ecs.version":"1.6.0"}
Then the log shows multiple lines like this:
Jun 08 15:50:20 xxxx filebeat[2323040]: {"log.level":"debug","@timestamp":"2022-06-08T15:50:20.275+0200","log.logger":"processor.dns","log.origin":{"file.name":"dns/dns.go","file.line":85},"message"
:"DNS processor failed: reverse lookup of log.source.ip value '5.66.77.88' failed: dns: nameserver 1.2.3.4:53 returned SERVFAIL","service.name":"filebeat","instance_id":1,"ecs.version":"1.6.0"}
So it is only testing the first of the two nameservers from the config file.
Any ideas here? According to the documentation it should go through the list of nameservers if the first one fails.