Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS Processor for Ingest Pipelines #91624

Open
MakoWish opened this issue Nov 16, 2022 · 3 comments
Open

DNS Processor for Ingest Pipelines #91624

MakoWish opened this issue Nov 16, 2022 · 3 comments
Assignees
@tylerperk
Labels
:Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP >enhancement Team:Data Management Meta label for data/management team

Comments

@MakoWish
Copy link

Description

TL:DR - There needs to be a DNS processor for Ingest Pipelines.

We have been using Elastic as a SIEM for nearly four years, and we have now spent the last ~15 months rolling it out as a Data Lake and Infrastructure Monitoring tool for the rest of our company. Over the years, we have come to rely quite heavily on Logstash for parsing and enrichment of all data being ingested (including Beats); nothing is written directly to Elasticsearch. The key enrichment aspects we rely on are Geo Location, DNS lookups, and appending to the related.* fields.

Now that Elastic Agent has been around for a while, I have been playing around with it on a few test devices as a centrally managed alternative to Beats agents; mainly Winlogbeat which is currently deployed to 5,000+ devices. Winlogbeat has always parsed each event at the agent (creating the ECS fields source.ip, user.name, etc.), so this allowed our Logstash enrichment on these ECS fields to work perfectly. Now that Elastic Agent uses Filebeat for Windows Event Logs, the parsing does not occur until hitting Ingest Pipelines at Elasticsearch. This unfortunately means the enrichment we have always done in Logstash is not possible.

I recently realized each Integration's Ingest Pipelines also run an *@custom pipeline after the pre-built pipeline runs. I thought this may be our way translate our Logstash pipelines to Ingest Pipelines and start using Elastic Agent with the same enrichment we have always done. I am unfortunately finding there is no DNS processor for Ingest Pipelines, and like I mentioned before, this is one thing we have come to rely on quite heavily.

I would like to request a DNS processor be created for Ingest Pipelines. The lack of a DNS processor for Ingest Pipelines is preventing us from using Elastic Agent.

Eric
@MakoWish MakoWish added >enhancement needs:triage Requires assignment of a team area label labels Nov 16, 2022
@DJRickyB DJRickyB added :Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP and removed needs:triage Requires assignment of a team area label labels Nov 21, 2022
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-data-management (Team:Data Management)

@elasticsearchmachine elasticsearchmachine added the Team:Data Management Meta label for data/management team label Nov 21, 2022
@MakoWish
Copy link
Author

MakoWish commented Jan 25, 2024
edited

Got quite a few other customers that seem to want this, but no love from the Elastic side even after bringing it up with our CSM's. Was talking to @jamiehynds, and he pointed me to a similar issue he opened on the Integrations side: #2532

@tylerperk tylerperk self-assigned this Jan 29, 2024
@Erikg346
Copy link

+1
any update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tylerperk tylerperk

Labels
:Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP >enhancement Team:Data Management Meta label for data/management team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DJRickyB @MakoWish @elasticsearchmachine @Erikg346 @tylerperk