Hi elastic community,
I've been discussing this issue with support for a little while however they've advised this may be a bug that could need looking into so I've been referred here.
We have some routers running both a squid proxy and the Elastic agent. I have them enrolled and they're logging as expected.
I've recently added the Squid Logs integration (Technical preview) to collect squid logs for me. For the time being I have only the TCP listener enabled with our squid servers configured to continue logging as normal, but also spit the logs out over TCP to this listener. This is also working which is a great start.
I noticed there's no PTR lookups for the source and destination hosts in these logs, so I tried adding this processor to the squid integration under its TCP listener's advanced options:
(Note: Cannot include "processors:" at the top level otherwise the integration fails to save, this appears to get slipped right in the middle with other processors in the elastic agent's configuration.)
- dns:
type: reverse
fields:
source.ip: source.hostname
timeout: 500ms
tag_on_failure: ['_dns_ptr_source_ip_failed']
While this custom processor does make an appearance in the state.yml on the Elastic Agent of both routers under this policy the agent seems to entirely ignore the processor.
The new field doesn't get created and there isn't any tag for the failure of that lookup either. The field source.ip exists for processing but no source.hostname field gets created in the above example.
I've also tried specifying our nameserver ip as well and a few other combinations to no change in behavior (And the host can do PTR lookups to those addresses itself with dig ok).
The integration seems to ignore this processor I've tried to add.
Any ideas?
Best regards,
Jared