DNS Enricher

DNS Enricher enriches event with information loaded from DNS server(s), such as hostnames.

Example

Declaration

  ---
  define:
    name: DNSEnricher
    type: enricher/dns
    dns_server: 8.8.8.8,5.5.4.8  # optional

  attributes:

    device.ip:
      hostname: host.hostname

    source.ip:
      hostname:
        - host.hostname
        - source.hostname

Input

{
    "source.ip": "142.251.37.110",
}

Output

{
    "source.ip": "142.251.37.110", 
    "host.hostname": "prg03s13-in-f14.1e100.net",
    "source.hostname": "prg03s13-in-f14.1e100.net"
}

Section `define`

This section defines the name and the type of the enricher, which in the case of DNS Enricher is always enricher/dns.

Item `name`

Shorter human-readable name of this declaration.

Item `type`

The type of this declaration, must be enricher/dns.

Item `dns_server`

The list of DNS servers to ask for information, separated by comma ,.

Section `attributes`

Specify dictionary with attribues to load the IP address or other DNS-lookup information from.

Each attribute should be followed by another dictionary with the list of keys to extract from the DNS server.

Then the value of every key is either string with the name of the event attribute to store the looked up value in, or a list, if the value should be inserted into more than one event attribute.

DNS Enricher

Example

Declaration

Input

Output

Section define

Item name

Item type

Item dns_server

Section attributes

Section `define`

Item `name`

Item `type`

Item `dns_server`

Section `attributes`