- Packetbeat Reference: other versions:
- Overview
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Drop events
- Drop fields from events
- Keep fields from events
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
- Contributing to Beats
DNS fields
editDNS fields
editDNS-specific event fields.
-
dns.id -
type: long
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
-
dns.op_code -
example: QUERY
The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
-
dns.flags.authoritative -
type: boolean
A DNS flag specifying that the responding server is an authority for the domain name used in the question.
-
dns.flags.recursion_available -
type: boolean
A DNS flag specifying whether recursive query support is available in the name server.
-
dns.flags.recursion_desired -
type: boolean
A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.
-
dns.flags.authentic_data -
type: boolean
A DNS flag specifying that the recursive server considers the response authentic.
-
dns.flags.checking_disabled -
type: boolean
A DNS flag specifying that the client disables the server signature validation of the query.
-
dns.flags.truncated_response -
type: boolean
A DNS flag specifying that only the first 512 bytes of the reply were returned.
-
dns.response_code -
example: NOERROR
The DNS status code.
-
dns.question.name -
example: www.google.com.
The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \t, \r, and \n respectively.
-
dns.question.type -
example: AAAA
The type of records being queried.
-
dns.question.class -
example: IN
The class of of records being queried.
-
dns.question.etld_plus_one -
example: amazon.co.uk.
The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.
-
dns.answers -
type: object
An array containing a dictionary about each answer section returned by the server.
-
dns.answers_count -
type: long
The number of resource records contained in the
dns.answersfield. -
dns.answers.name -
example: example.com.
The domain name to which this resource record pertains.
-
dns.answers.type -
example: MX
The type of data contained in this resource record.
-
dns.answers.class -
example: IN
The class of DNS data contained in this resource record.
-
dns.answers.ttl -
type: long
The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
-
dns.answers.data -
The data describing the resource. The meaning of this data depends on the type and class of the resource record.
-
dns.authorities -
type: object
An array containing a dictionary for each authority section from the answer.
-
dns.authorities_count -
type: long
The number of resource records contained in the
dns.authoritiesfield. Thedns.authoritiesfield may or may not be included depending on the configuration of Packetbeat. -
dns.authorities.name -
example: example.com.
The domain name to which this resource record pertains.
-
dns.authorities.type -
example: NS
The type of data contained in this resource record.
-
dns.authorities.class -
example: IN
The class of DNS data contained in this resource record.
-
dns.additionals -
type: object
An array containing a dictionary for each additional section from the answer.
-
dns.additionals_count -
type: long
The number of resource records contained in the
dns.additionalsfield. Thedns.additionalsfield may or may not be included depending on the configuration of Packetbeat. -
dns.additionals.name -
example: example.com.
The domain name to which this resource record pertains.
-
dns.additionals.type -
example: NS
The type of data contained in this resource record.
-
dns.additionals.class -
example: IN
The class of DNS data contained in this resource record.
-
dns.additionals.ttl -
type: long
The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
-
dns.additionals.data -
The data describing the resource. The meaning of this data depends on the type and class of the resource record.
-
dns.opt.version -
example: 0
The EDNS version.
-
dns.opt.do -
type: boolean
If set, the transaction uses DNSSEC.
-
dns.opt.ext_rcode -
example: BADVERS
Extended response code field.
-
dns.opt.udp_size -
type: long
Requestor’s UDP payload size (in bytes).