How to make PTR query using function?


(Blason) #1

Hi Team,

I am collecting BIND logs and being parsed properly. However wanted to seek your ideas if below can be achieved using graylog pipelines?

among the bind logs one of the field I am collecting is client who is querying which is coming as IP addresses. If I can do a PTR or ping -a to that host I get the hostname that way it is pretty easy to identify hence wondering if function or pipeline can be written to achieve the same?

23-Nov-2018 08:09:47.429 client 192.168.5.103#56341 (000info.com): query: 000info.com IN A +E (192.168.5.43)

C:\Users\neo>ping -a 192.168.5.103

Pinging DESKTOP-TUSS$$F [192.168.5.103] with 32 bytes of data:


#2

I wrote a simple www server with perl. The server receives http queries (that graylog HTTP data adapter can send), makes a reverse dns query with the IP address found in the query and replies with a json reply. Works nicely, but of course it is a hack.

If I understand correctly, version 2.5.0 will support DNS queries natively (https://github.com/Graylog2/graylog2-server/pull/5274).


(Jan Doberstein) #3

@blason the upcoming 2.5 will have DNS Lookup Table as @jtkarvo already pointed out.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.