home docs about wiki bugs

dns

Status: beta

DNS Filter

This filter will resolve any IP addresses from a field of your choosing.

The DNS filter performs a lookup (either an A record/CNAME record lookup or a reverse lookup at the PTR record) on records specified under the "reverse" and "resolve" arrays.

The config should look like this:

filter {
  dns {
    type => 'type'
    reverse => [ "@source_host", "field_with_address" ]
    resolve => [ "field_with_fqdn" ]
    action => "replace"
  }
}

Caveats: at the moment, there's no way to tune the timeout with the 'resolv' core library. It does seem to be fixed in here:

http://redmine.ruby-lang.org/issues/5100

but isn't currently in JRuby.

Synopsis

This is what it might look like in your config file: 
filter {
  dns {
    action => ... # ["append", "replace"] (optional)
    add_field => ... # hash (optional), default: {}
    add_tag => ... # array (optional), default: []
    resolve => ... # array (optional)
    reverse => ... # array (optional)
    tags => ... # array (optional), default: []
    type => ... # string (optional), default: ""
  }
}

Details

action

  • Value can be any of: "append", "replace"
  • There is no default value for this setting.

Determine what action to do: append or replace the values in the fields specified under "reverse" and "resolve."

add_field

  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Example:

filter {
  myfilter {
    add_field => [ "sample", "Hello world, from %{@source}" ]
  }
}

On success, myfilter will then add field 'sample' with the value above and the %{@source} piece replaced with that value from the event.

add_tag

  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  myfilter {
    add_tag => [ "foo_%{somefield}" ]
  }
}

If the event has field "somefield" == "hello" this filter, on success, would add a tag "foo_hello"

resolve

  • Value type is array
  • There is no default value for this setting.

Forward resolve one or more fields.

reverse

  • Value type is array
  • There is no default value for this setting.

Reverse resolve one or more fields.

tags

  • Value type is array
  • Default value is []

Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.

type

  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin's "type" attribute for more. Optional.

This is documentation from lib/logstash/filters/dns.rb

Hello! I'm your friendly footer. If you're actually reading this, I'm impressed.