Can't make DNS resolver work

[ljorg]

Hi,

I'm working on a filter for pfSense and would like to put the reverse resolved DNS name for the destination IP in a separate field. I've got it working partly, but not the way I want it to.

This works, but appends the resolved name to the dest_ip field which is not pretty:

Code: Select all

# dest_ip comes from a grok filter of the %{IP:dest_ip} type
dns {
  reverse => [ "dest_ip" ]
}

This doesn't work:

Code: Select all

dns {
  add_field => [ "dest_fqdn", "%{dest_ip}" ]
  reverse => [ "dest_fqdn" ]
  action => [ "replace" ]
}

In the last example, the dest_fqdn field always contains an IP adress and never gets resolved.

The "action" parameter is mentioned in different syntax around the web. I've tried the following:

Code: Select all

action => "replace"
action => [ "replace" ]

I've also tried omitting it. Doesn't change anything.

Am I missing something?


Lars

[scottwilkerson]

I believe you need to do the add field in your grok filter, then do the dns

Code: Select all

dns {
  reverse => [ "dest_fqdn" ]
  action => [ "replace" ]
}

[ljorg]

I believe you need to do the add field in your grok filter, then do the dns

Oh, sorry, I tried that too (out of desperation, I guess). Same result. It seems the type of the field changes when I do the add_field.


Lars

[scottwilkerson]

We are going to have to setup some test, on this as the type of the field shouldn't be configured before it hits elasticsearch, however if your index has that already determined to be an IP, you may need to wait until the next day or change to use a different field name