-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature - Resolve DNS Enrichment (Forward Lookup) #11416
Comments
Do you have a specific use case you could provide? |
The main use case is Windows Event Forwarding, and then putting Winlogbeat on the collector device. As the collector has logs of X machines, it would be good to enrich with the IP address as the log only has computer_name. |
Pinging @elastic/integrations (Team:Integrations) |
Pinging @elastic/siem (Team:SIEM) |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I'd like to add another use case here, it is slightly more of an edge case, but still a valid one I believe. If, I am using an integration/module, which pulls/collects data from a remote point, but this remote point also pulls data from somewhere to get the data, then the "host" information is actually the middle point. In theory, if the actual data contains the final target, then you can get the name of the target and set it correctly in the event, but you can't get the IP of the target, which makes things somewhat difficult. Example: For SNMP monitoring, Elastic doesn't really have a good solution, but Prometheus does with the snmp_exporter. So, a weird solution is to use the SNMP exporter to handle then SNMP stuff, then use the Metricbeat Prometheus collector module, to scrape the SNMP exporter to collect the data. This has a few weird side effects though.
You can somewhat work around this issue, by using processors that:
- drop_fields:
fields:
- "host"
ignore_missing: true
- dissect:
tokenizer: "%{}/snmp?module=%{}&target=%{host.name}"
field: "service.address"
target_prefix: ''
overwrite_keys: true
trim_values: 'all'
- copy_fields:
fields:
- from: host.name
to: host.hostname But, you can never set |
Hi! We're labeling this issue as |
still useful |
The dns processor previously supported only reverse DNS lookups. This adds support for performing A, AAAA, and TXT record queries. The response.ptr.histogram metric was renamed to request_duration.histogram. This naming allows the metric to represent the duration of the DNS request for all query types. Closes elastic#11416
The dns processor previously supported only reverse DNS lookups. This adds support for performing A, AAAA, and TXT record queries. The response.ptr.histogram metric was renamed to request_duration.histogram. This naming allows the metric to represent the duration of the DNS request for all query types. Closes elastic#11416
The dns processor previously supported only reverse DNS lookups. This adds support for performing A, AAAA, and TXT record queries. The response.ptr.histogram metric was renamed to request_duration.histogram. This naming allows the metric to represent the duration of the DNS request for all query types. Closes elastic#11416
The dns processor previously supported only reverse DNS lookups. This adds support for performing A, AAAA, and TXT record queries. The response.ptr.histogram metric was renamed to request_duration.histogram. This naming allows the metric to represent the duration of the DNS request for all query types. Some refactoring was done to unexport types/functions that should have been internal only. Closes #11416 Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
The dns processor previously supported only reverse DNS lookups. This adds support for performing A, AAAA, and TXT record queries. The response.ptr.histogram metric was renamed to request_duration.histogram. This naming allows the metric to represent the duration of the DNS request for all query types. Some refactoring was done to unexport types/functions that should have been internal only. Closes elastic#11416 Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
It would be great if WinlogBeat's DNS processor could resolve IP addresses given a hostname (Forward Lookup).
Especially useful in Windows world, caching would be necessary.
An extension to #7770, similar to Logstash's DNS filter (https://www.elastic.co/guide/en/logstash/current/plugins-filters-dns.html).
To add 'resolve' to Winlogbeat (and/or others) to DNS processor.
The text was updated successfully, but these errors were encountered: