I need a help with debugging pipeline, can someone please help? My scenario is like below I have 2 DNS servers one is acting as a sinkhole [192.168.10.10] and other is AD.192.168.10.20]
User query to AD and those queries are forwarded to a sinkhole server.
192.168.10.10 logs are being ingested using logstash while on AD I have installed packetbeat and ingesting DNS logs. AD logs are in Adlog streams while sinkhole logs are in sinkhole stream.
However, I need to find the original client IP address which is there in AD logs. Now my pipeline is
- Set the Pipeline on sinkhole logs
- Query for domains are being queried
- if the match is found see the same field from AD DNS logs
- If matched return packetbeat_client_ip
Somehow this is not working.
5d680f460e5df238446a93fb -> AD Stream ID
rule "Find Original Client IP" when has_field("qdomain") then let orig_ip = slookup("5d680f460e5df238446a93fb","quried_domain","packetbeat_dns_question_name", ["packetbeat_client_ip"], "120", "desc"); set_field("packetbeat_client_ip", to_ip(orig_ip)); end
Can someone pls help?