Hostname resolution on internal network.
67 views
Skip to first unread message
Darryl Mackay
Sep 17, 2021, 11:27:56 PM9/17/21
to SELKS
Hi all,
Is it possible to get SELKS to do hostname resolution on the internal network, for it to display in Evebox, Kibana etc?
Thank you in advance for your help.
Message has been deleted
Alexander Nedelchev
Sep 20, 2021, 5:49:32 AM9/20/21
to SELKS
Hi,
you can setup your own local DNS server, then describe domain names for your local network and setup logstash to the dns lookup.
Alexander Nedelchev
Sep 20, 2021, 5:49:55 AM9/20/21
to SELKS
quoting OP:
Hi all,
For the benefit of everybody here, I got the hostname resolution to work. Here are the steps as follows:-
1.) Install the logstash-filter-dns plugin as follows:-
/usr/share/logstash/bin/logstash-plugin install logstash-filter-dns
2.) Edit the /etc/logstash/conf.d/logstash.conf file as follows:-
filter {
dns {
reverse => [ "src_ip" ]
action => "replace"
}
}
filter {
dns {
reverse => [ "dest_ip" ]
action => "replace"
}
}
dns {
reverse => [ "src_ip" ]
action => "replace"
}
}
filter {
dns {
reverse => [ "dest_ip" ]
action => "replace"
}
}
Add this after (or maybe before) the current filter section and save the file with the new filters included.
3.) Restart logstash:-
service logstash restart
Give it a while and the FQDN's appear in both EveBox and Kibana.
Thank you.
Reply all
Reply to author
Forward
0 new messages