Nagios Support Forum

Posted: **Thu Jan 29, 2015 4:06 am**

Hi,

I'm working on a filter for pfSense and would like to put the reverse resolved DNS name for the destination IP in a separate field. I've got it working partly, but not the way I want it to.

This works, but appends the resolved name to the dest_ip field which is not pretty:

Code: Select all

# dest_ip comes from a grok filter of the %{IP:dest_ip} type
dns {
  reverse => [ "dest_ip" ]
}

This doesn't work:

Code: Select all

dns {
  add_field => [ "dest_fqdn", "%{dest_ip}" ]
  reverse => [ "dest_fqdn" ]
  action => [ "replace" ]
}

In the last example, the dest_fqdn field always contains an IP adress and never gets resolved.

The "action" parameter is mentioned in different syntax around the web. I've tried the following:

Code: Select all

action => "replace"
action => [ "replace" ]

I've also tried omitting it. Doesn't change anything.

Am I missing something?

Lars

Posted: **Thu Jan 29, 2015 2:20 pm**

I believe you need to do the add field in your grok filter, then do the dns

Code: Select all

dns {
  reverse => [ "dest_fqdn" ]
  action => [ "replace" ]
}

Posted: **Fri Jan 30, 2015 3:25 am**

scottwilkerson wrote:I believe you need to do the add field in your grok filter, then do the dns

Oh, sorry, I tried that too (out of desperation, I guess). Same result. It seems the type of the field changes when I do the add_field.

Lars

Posted: **Fri Jan 30, 2015 3:16 pm**

We are going to have to setup some test, on this as the type of the field shouldn't be configured before it hits elasticsearch, however if your index has that already determined to be an IP, you may need to wait until the next day or change to use a different field name

Nagios Support Forum

Can't make DNS resolver work

Can't make DNS resolver work

Re: Can't make DNS resolver work

Re: Can't make DNS resolver work

Re: Can't make DNS resolver work