NSlookup from beats of windows event viewer

I am trying to deploy Graylog in order to replace Netwrix as a logon/logoff/failure data collector. Using a windows server as PDC that authenticate users.

I noticed that in many entries, the workstation name is BLANK, but there is a valid ip address. So i would like to set workstation name (when empty) as the result of “nslookup ipaddress”. I am not sure how to do it : in winlogbeat? (i use sidecar). Or pipelines ?


Using graylog 5.2.4 with open search and mongodb. Sidecar/winlogbeats for collecting logs from windows servers.

Already tried to look for a solution online but i could not manage to solve it.
Thanks in advance.

So most likely what you want to do is create a reverse DNS lookup table, and then query that lookup table from a pipeline rule to get the DNS address.

Thanks Joel,
I thought was possible to “dinamically” do the dns lookup in some way.
You suggest to create a DNS lookup table? And then query this table with a pipeline rule… ok, i am new to this things … can you recommend me a guide where to do it ?

This is the official docs on. Resting the lookup table and also talks a bit about how to use the lookup function in a pipeline. Lookup Tables

Ok thanks, so i managed to solve it using the “Extract lookup value” in the pipeline stage rule that uses the lookup table/data adapter i created , that must be type “Reverse lookup (PTR)”, and where i can specify the DNS servers ip.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.