Trying to add a field with the ip address of the host

Harley_Burton · May 14, 2016, 10:37pm

I'm sure this is in the docs, and/or here somewhere, but the closest I have been able to find was a thread here from Oct. 2015 with a link to a doc with info that doesn't work on the current version.

I want to add a field to all log entries that will contain the IP Address of the host (where the log originated). I'm thinking a mutate at the bottom of my filter block. Something like

mutate {
   add_field => { "host_ip" => "%{someVar}" }
}

However, I can't seem to find that "someVar" variable.

I thought about setting to debug, and looking at the data coming in to the filter block, but if I did find the IP in some field/variable (eg. %{host}) I couldn't necessarily assume it will always be the IP Address (eg. %{host}).

I would appreciate any help with this specifically, or a point to someplace that lists all the %{data} available in each scope (input, filter, output).

Thanks

magnusbaeck · May 15, 2016, 11:27am

The host field typically contains the name of the host where the event originated, but that depends on what kinds of inputs you have. If that field is always set to a sane value you can use a dns filter to transform it into an IP address. IIRC the dns filter always modifies fields in place, in which case you'll want to copy the host field into e.g. hostip and perform a DNS lookup on that field.

I would appreciate any help with this specifically, or a point to someplace that lists all the %{data} available in each scope (input, filter, output).

The inputs you have configured define which fields that are available to your filters. The tail end of your last filter is connected to each of your outputs (assuming no conditionals that limit which filters and outputs apply to each message).

Harley_Burton · May 16, 2016, 4:22pm

Thank you.

It looks like, using winlogbeat and filebeat, the hostname is sent, and not all of them have a DNS record to do a lookup on.

The solution that I've come up with is to add a tag with the IP at the WinLogBeat/FileBeat side, and then add a tag %{host} in the filter block for syslog inputs. It's not clean, but the result is every record has a tag containing the IP Address of the originating host.