Dns filter plugin
editDns filter plugin
edit- Plugin version: v3.2.0
- Released on: 2023-01-26
- Changelog
For other versions, see the Versioned plugin docs.
Getting help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editThe DNS filter performs a lookup (either an A record/CNAME record lookup
or a reverse lookup at the PTR record) on records specified under the
reverse
arrays or respectively under the resolve
arrays.
The config should look like this:
filter { dns { reverse => [ "source_host", "field_with_address" ] resolve => [ "field_with_fqdn" ] action => "replace" } }
This filter, like all filters, only processes 1 event at a time, so the use of this plugin can significantly slow down your pipeline’s throughput if you have a high latency network. By way of example, if each DNS lookup takes 2 milliseconds, the maximum throughput you can achieve with a single filter worker is 500 events per second (1000 milliseconds / 2 milliseconds).
Dns Filter Configuration Options
editThis plugin supports the following configuration options plus the Common options described later.
Setting | Input type | Required |
---|---|---|
string, one of |
No |
|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
Also see Common options for a list of options supported by all filter plugins.
action
edit-
Value can be any of:
append
,replace
-
Default value is
"append"
Determine what action to do: append or replace the values in the fields
specified under reverse
and resolve
.
failed_cache_size
edit- Value type is number
-
Default value is
0
(cache disabled)
cache size for failed requests
failed_cache_ttl
edit- Value type is number
-
Default value is
5
how long to cache failed requests (in seconds)
hit_cache_size
edit- Value type is number
-
Default value is
0
(cache disabled)
set the size of cache for successful requests
hit_cache_ttl
edit- Value type is number
-
Default value is
60
how long to cache successful requests (in seconds)
hostsfile
edit- Value type is array
- There is no default value for this setting.
Use custom hosts file(s). For example: ["/var/db/my_custom_hosts"]
max_retries
edit- Value type is number
-
Default value is
2
number of times to retry a failed resolve/reverse
nameserver
edit-
Value type is hash, and is composed of:
-
a required
address
key, whose value is either a string or an array, representing one or more nameserver ip addresses -
an optional
search
key, whose value is either a string or an array, representing between one and six search domains (e.g., with search domaincom
, a query forexample
will match DNS entries forexample.com
) -
an optional
ndots
key, used in conjunction withsearch
, whose value is a number, representing the minimum number of dots in a domain name being resolved that will prevent the search domains from being used (default1
; this option is rarely needed)
-
a required
- For backward-compatibility, values of string and array are also accepted, representing one or more nameserver ip addresses without search domains.
- There is no default value for this setting.
Use custom nameserver(s). For example:
filter { dns { nameserver => { address => ["8.8.8.8", "8.8.4.4"] search => ["internal.net"] } } }
If nameserver
is not specified then /etc/resolv.conf
will be read to
configure the resolver using the nameserver
, domain
,
search
and ndots
directives in /etc/resolv.conf
.
resolve
edit- Value type is array
- There is no default value for this setting.
Forward resolve one or more fields.
reverse
edit- Value type is array
- There is no default value for this setting.
Reverse resolve one or more fields.
Common options
editThese configuration options are supported by all filter plugins:
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
add_field
edit- Value type is hash
-
Default value is
{}
If this filter is successful, add any arbitrary fields to this event.
Field names can be dynamic and include parts of the event using the %{field}
.
Example:
filter { dns { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" } } }
# You can also add multiple fields at once: filter { dns { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" "new_field" => "new_static_value" } } }
If the event has field "somefield" == "hello"
this filter, on success,
would add field foo_hello
if it is present, with the
value above and the %{host}
piece replaced with that value from the
event. The second example would also add a hardcoded field.
add_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, add arbitrary tags to the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { dns { add_tag => [ "foo_%{somefield}" ] } }
# You can also add multiple tags at once: filter { dns { add_tag => [ "foo_%{somefield}", "taggedy_tag"] } }
If the event has field "somefield" == "hello"
this filter, on success,
would add a tag foo_hello
(and the second example would of course add a taggedy_tag
tag).
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type, for example, if you have 2 dns filters.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
filter { dns { id => "ABC" } }
Variable substitution in the id
field only supports environment variables
and does not support the use of values from the secret store.
periodic_flush
edit- Value type is boolean
-
Default value is
false
Call the filter flush method at regular interval. Optional.
remove_field
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:
filter { dns { remove_field => [ "foo_%{somefield}" ] } }
# You can also remove multiple fields at once: filter { dns { remove_field => [ "foo_%{somefield}", "my_extraneous_field" ] } }
If the event has field "somefield" == "hello"
this filter, on success,
would remove the field with name foo_hello
if it is present. The second
example would remove an additional, non-dynamic field.
remove_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary tags from the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { dns { remove_tag => [ "foo_%{somefield}" ] } }
# You can also remove multiple tags at once: filter { dns { remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"] } }
If the event has field "somefield" == "hello"
this filter, on success,
would remove the tag foo_hello
if it is present. The second example
would remove a sad, unwanted tag as well.