Graylog DNS Plugin

(Sascha Henke) #1

Hi all,

maybe I miss something, but I don’t know how to get the DNS resolver plugin working.
Got it from here:

The plugin file is placed in the right folder, the server is restarted. I can see it in the log file as loaded:

2018-08-07T09:30:01.503+02:00 INFO  [CmdLineTool] Loaded plugin: DnsResolverFilter 1.2.0 [org.graylog.plugin.filter.dns.DnsResolverFilterPlugin]

What should I do next to see results?
Is it something with the format of the message? I had a look in the source files but wasn’t sure, what’s wrong.

(Jan Doberstein) #2

The readme reveals:

This message filter plugin can be used to do DNS lookups for the source field in Graylog messages.

It will just try the above - if possible. No configuration needed/possible.

(Sascha Henke) #3

Since the term “source” is used in different ways throughout the docs I found, I thought, I could use this plugin for reverse lookup of the src_ip and dst_ip.

(Jan Doberstein) #4

you would need to use a lookup table for that - but the current release does not include the dns resolver. You would need to write your own lookup adapter.