My pipiline and rules are not working as expected, can someone pls help?

Hi team,

I need a help with debugging pipeline, can someone please help? My scenario is like below I have 2 DNS servers one is acting as a sinkhole [192.168.10.10] and other is AD.192.168.10.20]

User query to AD and those queries are forwarded to a sinkhole server.
192.168.10.10 logs are being ingested using logstash while on AD I have installed packetbeat and ingesting DNS logs. AD logs are in Adlog streams while sinkhole logs are in sinkhole stream.

However, I need to find the original client IP address which is there in AD logs. Now my pipeline is

1. Set the Pipeline on sinkhole logs
2. Query for domains are being queried
3. if the match is found see the same field from AD DNS logs
4. If matched return packetbeat_client_ip

Somehow this is not working.

5d680f460e5df238446a93fb -> AD Stream ID

rule "Find Original Client IP"
when
    has_field("qdomain")
then
    let orig_ip = slookup("5d680f460e5df238446a93fb","quried_domain","packetbeat_dns_question_name", ["packetbeat_client_ip"], "120", "desc");
    set_field("packetbeat_client_ip", to_ip(orig_ip));
end

Can someone pls help?

You have a lot of moving parts here and there may be logic issues,

However you have a typo under your slookup as ‘quried_domain’

Were you wanting queried_domain?

Nah it’s not typo for sure. I kept those names as it is.

Just wondering my pipeline will be assigned to sinkhole stream right? Remote stream will be AD then wanted to confirm if the assignment of variables are proper?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.