Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature - Resolve DNS Enrichment (Forward Lookup) #11416

Closed
morro91 opened this issue Mar 24, 2019 · 9 comments · Fixed by #36394
Closed

Feature - Resolve DNS Enrichment (Forward Lookup) #11416

morro91 opened this issue Mar 24, 2019 · 9 comments · Fixed by #36394

Comments

@morro91
Copy link

morro91 commented Mar 24, 2019

It would be great if WinlogBeat's DNS processor could resolve IP addresses given a hostname (Forward Lookup).

Especially useful in Windows world, caching would be necessary.

An extension to #7770, similar to Logstash's DNS filter (https://www.elastic.co/guide/en/logstash/current/plugins-filters-dns.html).

To add 'resolve' to Winlogbeat (and/or others) to DNS processor.

@andrewkroh
Copy link
Member

Do you have a specific use case you could provide?

@morro91
Copy link
Author

morro91 commented Mar 25, 2019

The main use case is Windows Event Forwarding, and then putting Winlogbeat on the collector device. As the collector has logs of X machines, it would be good to enrich with the IP address as the log only has computer_name.

@jsoriano jsoriano added Team:Integrations Label for the Integrations team Team:SIEM labels Apr 15, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@BenB196
Copy link

BenB196 commented Feb 23, 2022

I'd like to add another use case here, it is slightly more of an edge case, but still a valid one I believe.

If, I am using an integration/module, which pulls/collects data from a remote point, but this remote point also pulls data from somewhere to get the data, then the "host" information is actually the middle point. In theory, if the actual data contains the final target, then you can get the name of the target and set it correctly in the event, but you can't get the IP of the target, which makes things somewhat difficult.

Example:

For SNMP monitoring, Elastic doesn't really have a good solution, but Prometheus does with the snmp_exporter. So, a weird solution is to use the SNMP exporter to handle then SNMP stuff, then use the Metricbeat Prometheus collector module, to scrape the SNMP exporter to collect the data.

This has a few weird side effects though.

  1. To be able to use the SNMP exporter, the "host" isn't actually the host you want to scrape metrics from, instead it is the SNMP exporter (example: localhost:9116)
    • The "real" host is stored as a URL query parameter called target.
    • So, a request looks like: http://localhost:9116/snmp?module=<your_snmp_module>&target=host.example.com
  2. The above causes a few different issues:
    1. host field information gets set to either the Prometheus SNMP exporter (if both Metricbeat and SNMP Exporter are part of the same Kubernetes pod or host) or doesn't get set at all.
    2. prometheus.labels.instance just shows up as localhost:9116 as technically that is the "host"/"target"
    3. The real information is contained in the field service.address (http://localhost:9116/snmp?module=<your_snmp_module>&target=host.example.com)

You can somewhat work around this issue, by using processors that:

  1. Drop host:
- drop_fields:
    fields:
      - "host"
    ignore_missing: true
  1. Set host.name correctly:
- dissect:
    tokenizer: "%{}/snmp?module=%{}&target=%{host.name}"
    field: "service.address"
    target_prefix: ''
    overwrite_keys: true
    trim_values: 'all'
  1. Set host.hostname correctly:
- copy_fields:
    fields:
      - from: host.name
        to: host.hostname

But, you can never set host.ip correctly, as there is no way to perform a forward lookup on host.name

@botelastic
Copy link

botelastic bot commented Feb 23, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Feb 23, 2023
@BenB196
Copy link

BenB196 commented May 15, 2023

still useful

@botelastic botelastic bot removed the Stalled label May 15, 2023
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 22, 2023
The dns processor previously supported only reverse DNS lookups.
This adds support for performing A, AAAA, and TXT record queries.

The response.ptr.histogram metric was renamed to request_duration.histogram.
This naming allows the metric to represent the duration of the DNS request
for all query types.

Closes elastic#11416
andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 22, 2023
The dns processor previously supported only reverse DNS lookups.
This adds support for performing A, AAAA, and TXT record queries.

The response.ptr.histogram metric was renamed to request_duration.histogram.
This naming allows the metric to represent the duration of the DNS request
for all query types.

Closes elastic#11416
@andrewkroh
Copy link
Member

andrewkroh added a commit to andrewkroh/beats that referenced this issue Aug 22, 2023
The dns processor previously supported only reverse DNS lookups.
This adds support for performing A, AAAA, and TXT record queries.

The response.ptr.histogram metric was renamed to request_duration.histogram.
This naming allows the metric to represent the duration of the DNS request
for all query types.

Closes elastic#11416
andrewkroh added a commit that referenced this issue Aug 25, 2023
The dns processor previously supported only reverse DNS lookups.
This adds support for performing A, AAAA, and TXT record queries.

The response.ptr.histogram metric was renamed to request_duration.histogram.
This naming allows the metric to represent the duration of the DNS request
for all query types.

Some refactoring was done to unexport types/functions that should have been
internal only.

Closes #11416

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Scholar-Li pushed a commit to Scholar-Li/beats that referenced this issue Feb 5, 2024
The dns processor previously supported only reverse DNS lookups.
This adds support for performing A, AAAA, and TXT record queries.

The response.ptr.histogram metric was renamed to request_duration.histogram.
This naming allows the metric to represent the duration of the DNS request
for all query types.

Some refactoring was done to unexport types/functions that should have been
internal only.

Closes elastic#11416

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants