Logstash Configuration for dnstap

Now let’s configure Logstash to grab the data in dnstap.json logged by dnstap-receiver. View the Logstash Configuration for TD section of this document for more details on Logstash and config files.

Access the machine where your Logstash instance is installed. Note: For this demo Elastic Stack was installed on Ubuntu 18.04.
Open a terminal.
Navigate to where your Logstash configuration (.conf) files are located. In this demonstrative environment, these files are located in /etc/logstash/conf.d. Input the following command to navigate to the correct directory:

cd /etc/logstash/conf.d

Create a new file called dnstap-nios.conf:

sudo touch dnstap-nios.conf

Open the file with gedit for editing:

sudo gedit dnstap-nios.conf

Copy and paste the following into the file. Save and close the file when finished.

input {
   file {
      path => "/var/log/dnstap/*"
      codec => "json"
      mode => "tail"
      sincedb_path => "/dev/null"
   } 
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "dnstap-nios"
  }
}

Note we are grabbing everything in the /var/log/dnstap directory we created earlier. Because dnstap-receiver is set to append the dnstap.json file with all the dnstap messages, we set the mode to tail.

Navigate to your home directory for Logstash. For this demo, this is /usr/share/logstash/. Input the following command to navigate to the correct directory:

cd /usr/share/logstash

Run Logstash with your new configuration:

sudo bin/logstash -f /etc/logstash/conf.d/dnstap-nios.conf

Allow several minutes of processing. The console will inform you if there are any syntax errors with your config file.

Alternatively, you can simply restart the Logstash service, but the console will not warn you of any errors with your config file:

sudo systemctl restart logstash

TME-DG-Elastic-Stack-Infoblox-B1TD-&-NIOS-DNSTAP-Logging-Integration

Logstash Configuration for dnstap

Analytics

Related content