Viewing hostname instead of ip

JohnM · July 5, 2019, 7:05am

LOGSTASH 7.2
ES 7.2

I am receiving simple Linux syslog.

In logstash node input filter, I have;
mutate {
add_field => { "syslog_host" => "%{host}" }
}
dns {
reverse => [ "host" ]
action => "replace"
}
but in Kibana host field is always ip address, and syslog_host filed added is also ip address.
How can you replace with hostname?

nslookup won't show reverse dns for our internal servers so that is why it doesn't resolve I guess.
All syslog message field have hostname so is there any ways to retrieve a hostname and show on Kibana field?

Thanks for your help in advance.

Badger · July 5, 2019, 3:42pm

The dns filter comes after the mutate, so even if the lookup worked it would not affect the value of [syslog_host].

If you want help parsing the hostname out of the message field then you need to show us what the message field looks like.

JohnM · July 8, 2019, 10:55pm

Thanks Badger for your reply.
the message field is something like this.

<78>Jul 9 08:52:01 pbx1003 crontab[16499]: (asterisk) LIST (asterisk)

I want to retrieve hostname pbx1003 out of the message field.

Thanks in advance.

Badger · July 8, 2019, 11:08pm

I would start with something like

    dissect { mapping => { "message" => "<%{pri}>%{[@metadata][ts]} %{+[@metadata][ts]} %{+[@metadata][ts]} %{hostname} %{}[%{pid}]:" } }
    date { match => [ "[@metadata][ts]", "MMM dd HH:mm:ss" ] }

JohnM · July 9, 2019, 2:14am

Thanks Badger,
It works great.

system · August 6, 2019, 2:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.