Ingesting Windows DNS Logs - Filebeat->Logstash

741 views
Skip to first unread message

Daniel Sullivan

unread,
May 31, 2018, 9:41:04 PM5/31/18
to security-onion
Hello everyone,

I am missing a key piece in getting Windows DNS logs ingested into ElasticSearch: Filebeat is picking up the logs and pushing them to Logstash, but the fields are not mapping and no filtering is applying.

The piece I can't figure out is how does Logstash have a clue how to differentiate between the log sources? Am I supposed to set a tag in filebeat, or is there some other method?

If I am seeing the provided Logstash config correctly, it appears that 6301_dns_windows is looking for the "dns" type, but how does one specify this?

I am a novice at this and any help would be greatly appreciated in utilizing the work provided. Thank you for everything!

Wes Lambert

unread,
Jun 1, 2018, 7:54:08 AM6/1/18
to securit...@googlegroups.com
Hi Daniel,

You can set a tag in the Filebeat config, as described here:


Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.



--

Daniel Sullivan

unread,
Jun 1, 2018, 9:47:38 AM6/1/18
to security-onion
Thanks for the reply, Wes.

Indeed, I have already done that but ingestion has not changed. The filter is looking for: if [type] == "dns" and "bro" not in [tags]

Is the intention to use type instead of tags. I am just looking into the intent and how to get this done through filebeat. document_type in the config does not work.

On Friday, June 1, 2018 at 7:54:08 AM UTC-4, Wes wrote:
> Hi Daniel,
>
>
> You can set a tag in the Filebeat config, as described here:
>
>
> https://www.elastic.co/guide/en/beats/filebeat/current/configuration-general-options.html#_literal_tags_literal_2
>
>
>
> Thanks,
> Wes
>
>
> On Thu, May 31, 2018 at 9:41 PM, Daniel Sullivan <dan.sul...@gmail.com> wrote:
> Hello everyone,
>
>
>
> I am missing a key piece in getting Windows DNS logs ingested into ElasticSearch: Filebeat is picking up the logs and pushing them to Logstash, but the fields are not mapping and no filtering is applying.
>
>
>
> The piece I can't figure out is how does Logstash have a clue how to differentiate between the log sources? Am I supposed to set a tag in filebeat, or is there some other method?
>
>
>
> If I am seeing the provided Logstash config correctly, it appears that 6301_dns_windows is looking for the "dns" type, but how does one specify this?
>
>
>
> I am a novice at this and any help would be greatly appreciated in utilizing the work provided. Thank you for everything!
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages