We are currently leveraging SysMon DNS logs and would like to have the capability to search/aggregrate on the types from the dns.answers that WinLogBeat ships to Elastic.
Currently, the dns.answers field contains:
{
"data": "elasticsearch.trainingrocket.com",
"type": "CNAME"
},
{
"data": "d1bzcgvkzhwrpe.cloudfront.net",
"type": "CNAME"
},
{
"data": "13.227.45.18",
"type": "A"
},
{
"data": "13.227.45.48",
"type": "A"
},
{
"data": "13.227.45.74",
"type": "A"
},
{
"data": "13.227.45.36",
"type": "A"
}
It would be great if this was parsed similarly to the dns.resolved_ip field to show something like:
dns.resolved.type or dns.answers.type to contain:
CNAME, A
It doesn't seem that this is the case as noted on github (https://github.com/elastic/beats/pull/12960): winlog.event_data.QueryResults -> dns.answers.data , dns.answers.type
This is following the Elastic Common Schema which does not have a field specifically for the CNAME values like it does for IPs in dns.resolved_ip. So this is the expected output.
I think having at least "dns.answers.data" : "dualstack.r2.shared.global.fastly.net, 151.101.150.217" and "dns.answers.type" : "CNAME, A" would at least allow us to do a pretty efficient search.
Perhaps this might be a mapping issue to give us searchable types/data?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
