Function to DNS resolve field content

[henrikjohansen]

trafficstars

I could really use a DNS resolver function for our rule processing, something like:

let name = resolve_field(to_string($message.ip_field))
set_field("dns_name", name); 

... would be awesome :)

[kroepke]

We'll fold this into a more generic lookup table plugin, that will provide UI, configurable caches and multiple backends for external lookup functions like these. Once that repository exists, I'll link it to here.

[LikeARock47]

This would be great, have been looking for something like this for a while now.

[jalogisch]

want to add some more use cases

• if you log your access points syslog lookup from mac to ip and/or dns
• do reverse lookup on IP
• lookup owner/contact information for MAC/IP

This should be the next big feature as security people will benefit from that if IDS Systems feed into Graylog you might want to lookup the CMDB to get the known contact for Hardware.

[henrikjohansen]

@jalogisch Correct - we're currently moving all message processing away from Graylog for this exact reason (and #151). We need to interact with lots of external systems to do enrichment, tagging, lookups, API calls, command execution, etc and Graylog is unfortunately not capable of those operations ATM. Once processing is done the subset of data that needs to be searchable goes to Graylog.

In reality, I would like to see pipeline processors offer more stream processing oriented capabilities :)

We also need more than just "stuff this into Elastic" but output management is a major pain-point in the current invocation of graylog-server.

[Androider03]

Hi, I'm trying to use the plugin on graylog 2.2.1 but unfortunately it doesn't seem to work. Are there any news about the development?

[jalogisch]

@Androider03

Please do not highjack this thread about a new feature. Processing Pipelines are shipped with Graylog and this issue is only about one function that should be available.

We are using GitHub issues for tracking bugs, but this doesn't look like one. Please post this issue to our discussion forum or join the #graylog channel on freenode IRC.

Thank you!

[rosspeoples]

Any updates on this? I'm new to Graylog and doing a lookup on an external data source is something we need to do. Even if it's as simple as running a script on the machine, or hitting a simple REST API, I could work with that. Not sure how others are currently handling this, but seems like a great addition.

[jalogisch]

this is is introduced in the current release this commit introduce them and that will be part of Graylog 2.3.

Please watch the release section of the graylog blog for details.

[wfleurant]

The DNS-HTTP service you would want to run could be this one https://github.com/skx/dns-api.org I removed --host 127.0.0.1 from Docker entrypoint, then commented out all throttling in bin/dns-api

Configure Graylog accordingly

If set correctly, you can then run (for example) RFC1918 / RFC4193 strings thru the data adapters for human-readable logs.. So for any extractors set up to search for IP or IP6 -- you'd get the name not IP address.

In the end, you can do a global stream search on say, _exists_:src_ipaddr_or_resolvd_hostname

[rphlwnk]

@wfleurant So i will get back the hostname if there is one with this script? How can i install the dns-api.org ? Sorry for the question, i'm new to this all. Thanks

[etlweather]

@empfangsfehler Kind of old question but maybe you're still looking... if you can, running as a Docker container:

https://hub.docker.com/r/piesecurity/dns-api/