TechQA.

logstash dns filter miss

2k views Asked by At

I am using logstash 1.5 in my ELK stack environment. with the following filter configuration:

filter {
   mutate {
      add_filed => { "src_ip" => "%{src}" }
      add_filed => { "dst_ip" => "%{dst}" }
   }
   dns {
      reverse => [ "src", "dst" ]
      action => "replace"
   }
}

I have 2 problems:

  • The filter is missing or skip the dns reverse proccess on many logs - I mean each log that going in the filter process or that both dst and src fields reverse or not at all and remain with the ip ( when i test with nslookup all the ip fields has names in the dns).
  • I dont know how and why but some of my logs has multiple values and i get the following error:

DNS: skipping reverse, can't deal with multiple values, :field=>"src" , :value=>["10.0.0.1","20.0.0.2"], : level=> warn

It looks like my (ELK) logstash cant handle with a lot of logs and resolve them fast enough. also its looks that he create array keys of multiple value from different logs.

any idea? maybe you guys encounter this problem?

dns logstash logstash-configuration elastic-stack
Original Q&A
1

There are 1 answers

0
Brad Hein On

I noticed a typo in your configuration - add_filed should be add_field

Related Questions in DNS

Related Questions in LOGSTASH

Related Questions in LOGSTASH-CONFIGURATION

Related Questions in ELASTIC-STACK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions