Supplement vlan.id to DNS data

infofs · March 24, 2023, 11:37am

I am sending all DNS traffic to logstash. Is it possible to add vlan data (especially the vlan.id) to this output?
This is my packetbeat.yml:

# =============================== Network device ===============================
packetbeat.interfaces.device: any
packetbeat.interfaces.type: af_packet

packetbeat.interfaces.internal_networks:
  - private

# =========================== Transaction protocols ============================
packetbeat.protocols:
- type: dns
  ports: [53]

# ================================== General ===================================
name: <servername>

tags: [forwarded]


# ================================== Outputs ===================================

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["<dip>:<dport>"]

# ================================= Processors =================================
processors:
  - # Add forwarded to tags when processing data from a network tap or mirror.
    if.contains.tags: forwarded
    then:
      - drop_fields:
          fields: [host]
    else:
      - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - detect_mime_type:
      field: http.request.body.content
      target: http.request.mime_type
  - detect_mime_type:
      field: http.response.body.content
      target: http.response.mime_type

btw, is it possible to define more than one device on which packetbeat listens to (without using 'any')?

andrewkroh · March 24, 2023, 2:06pm

It does not report the vlan ID for decoded protocol data like DNS. It should be possible to add this since it can see the 802.1q header (although I found this one old issue that might be the reason why it was never added Packetbeat: af_packet doesn't report VLAN ID · Issue #12794 · elastic/beats · GitHub).

I recommend to open a request on github to add this feature. We have the network.vlan.id field in Elastic Common Schema to hold this data.

infofs · March 27, 2023, 8:02am

Thank you, Andrew. I followed your advice and opened Provide vlan.id in decoded protocols · Issue #34932 · elastic/beats · GitHub.

system · April 24, 2023, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.