[Filebeat] Update CoreDNS pipelines for ECS DNS #13505
Conversation
andrewkroh
force-pushed
the
feature/coredns-ecs-conversion
branch
from
42b0544
to
e3c6446
Compare
This sets the ECS DNS fields. It does not remove the coredns.* fields to avoid introducing a breaking change. Relates elastic#13320
andrewkroh
force-pushed
the
feature/coredns-ecs-conversion
branch
from
e3c6446
to
23e65a1
Compare
|
Pinging @elastic/siem |
andrewkroh
changed the title
|
There one unrelated failure on Jenkins/Linux/libbeat:
|
| - set: | ||
| if: ctx.dns?.question?.name != null | ||
| field: coredns.query.name | ||
| value: '{{dns.question.name}}' |
There was a problem hiding this comment.
Can we also add the registered_domain processor, to set dns.question.registered_domain?
There was a problem hiding this comment.
It will take some refactoring because all of the processing is happening in Ingest Node with this pipeline. To use the Beat's registered_domain I'll need to move some of the dissecting to Beats.
There was a problem hiding this comment.
Ah, with all the YAML, I hadn't actually noticed that this was an ingest pipeline :-)
Let's call this out of scope for now, then?
| ], | ||
| "dns.id": "6966", | ||
| "dns.question.class": "IN", | ||
| "dns.question.name": "httpbin.org.", |
There was a problem hiding this comment.
Could you remove the trailing dot from domain lookups?
This sets the ECS DNS fields. It does not remove the coredns.* fields to avoid introducing
a breaking change.
Relates #13320