Dear Craig, thanks for your response.
I have an ELK server 7.7.0 and I have two Linux boxes with packetbeat and filebeat 7.7.0.
Server and beat boxes are in the same network segment, no NAT and no any other thing in the middle. In the beat box I try to query 4.4.4.4 Google DNS, I run tcpdump and I can see packets going to 4.4.4.4:53. I have not response from 4.4.4.4 because it is blocket by firewall, but the Linux box with packetbeat tries to get it so I suppose the DNS Internet activity detection rule is fired up.
When I run the below query against the packetbeat index:
GET /packetbeat-7.7.0/_search
{
"query": { "match_all": {} },
"sort": [
{ "destination.ip": "asc" }
]
}
I obtain and see that ip: "4.4.4.4" (Google DNS) and not destination.ip, so I'm confused....can you help again please? Regards !!!
"hits" : [
{
"_index" : "packetbeat-7.7.0-2020.05.14-000001",
"_type" : "_doc",
"_id" : "QizsnnIBuVNl7NxaIPft",
"_score" : null,
"_source" : {
"@timestamp" : "2020-06-10T15:49:48.959Z",
"server" : {
"ip" : "4.4.4.4",
"port" : 53
},
"query" : "class IN, type A, www.sintys.gob.ar",
"source" : {
"ip" : "172.31.28.7",
"port" : 46490,
"bytes" : 35
},
"status" : "Error",
"event" : {
"start" : "2020-06-10T15:49:48.959Z",
"kind" : "event",
"category" : "network_traffic",
"dataset" : "dns"
},
"type" : "dns",
"client" : {
"ip" : "172.31.28.7",
"port" : 46490,
"bytes" : 35
},
"resource" : "www.sintys.gob.ar",
"dns" : {
"op_code" : "QUERY",
"header_flags" : [
"RD"
],
"type" : "query",
"flags" : {
"recursion_desired" : true,
"recursion_available" : false,
"authentic_data" : false,
"checking_disabled" : false,
"authoritative" : false,
"truncated_response" : false
},
"response_code" : "NOERROR",
"id" : 53781,
"additionals_count" : 0,
"question" : {
"class" : "IN",
"etld_plus_one" : "sintys.gob.ar",
"registered_domain" : "sintys.gob.ar",
"top_level_domain" : "gob.ar",
"subdomain" : "www",
"name" : "www.sintys.gob.ar",
"type" : "A"
},
"authorities_count" : 0,
"answers_count" : 0
},
"host" : {
"containerized" : false,
"ip" : [
"172.31.28.7"
],
"mac" : [
"00:50:56:b2:97:b1"
],
"hostname" : "MITLTOCS-Agent02",
"architecture" : "x86_64",
"name" : "MITLTOCS-Agent02",
"os" : {
"name" : "Debian GNU/Linux",
"kernel" : "4.9.0-3-amd64",
"codename" : "stretch",
"platform" : "debian",
"version" : "9 (stretch)",
"family" : "debian"
},
"id" : "1436e041f70b4887887077ee84a0bae1"
},
"network" : {
"direction" : "outbound",
"community_id" : "1:PpSYmtSvRXwFbj45QauJiIpR63E=",
"bytes" : 35,
"type" : "ipv4",
"transport" : "udp",
"protocol" : "dns"
},
"agent" : {
"version" : "7.7.0",
"type" : "packetbeat",
"ephemeral_id" : "bfa97b80-78d2-4810-9b30-9ab964af614f",
"hostname" : "MITLTOCS-Agent02",
"id" : "649569ab-b23d-487d-af4b-50654252e501"
},
"ecs" : {
"version" : "1.5.0"
},
"error" : {
"message" : "No response to this query was received"
},
"method" : "QUERY",
"destination" : {
"port" : 53,
"ip" : "4.4.4.4"
}
},
"sort" : [
"4.4.4.4"
]
},