DNS Enrichment

Overview

NetObserv Flow can be configured to resolve IP addresses to hostnames. The following settings allow this feature to be tuned to the needs of your environment.

Configurations

EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE

This setting enables DNS reverse lookups of IP addresses found in the received flow records. Disabling this feature will also disable looking up hostnames defined in the file referenced here: EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH.

Valid Values
- true, false
Default
- false

EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_IP

The default behavior of the collector is to use the operating system's configured name resolution to resolve IP addresses to hostnames. Optionally, a nameserver can be specified in this setting, which will be used instead.

If configured, this setting MUST contain a valid IP address.

Default
- empty

EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_TIMEOUT

If EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_IP contains a valid IP address, this setting contains the timeout period, in milliseconds, for queries to the name server.

Default
- 3000 (milliseconds)

EF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PRIVATE

If DNS resolution is enabled (EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE is true) this option specifies whether private IP addresses will be resolved to hostnames.

Valid Values
- true, false
Default
- true

EF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PUBLIC

If DNS resolution is enabled (EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE is true) this option specifies whether public IP addresses will be resolved to hostnames.

Valid Values
- true, false
Default
- true

EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH

This setting specifies the path to the file containing user-defined hostname mappings. The feature is enabled if a path is configured, otherwise it is disabled. If there is a conflict between the hostname returned by a DNS query and what is defined in this file, this file wins.

An example of the format of this file is:

'192.0.2.1': 'host1'
'192.0.2.2': 'host2'

Default
- ''
Recommended
- /etc/elastiflow/hostname/user_defined.yml

EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_REFRESH_RATE

The file specified in EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

Default
- 15

EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_PATH

For more control of when enrichment is applied, IP addresses can be included or excluded from hostname enrichment by Autonomous System or CIDR. This setting specifies the path to this file.

For more details on the format of this file and the behavior of the include/exclude functionality, refer to: Scoping Enrichment with Include/Exclude

Default
- ''
Recommended
- /etc/elastiflow/hostname/incl_excl.yml

EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_REFRESH_RATE

The file specified in EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

Default
- 15

PreviousMaxmind GeoIP2 and GeoLite2 NextUser-Defined Metadata (UDM) for Addresses

Last updated 4 months ago

Was this helpful?

Good night

hashtagOverview

hashtagConfigurations

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_IP

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_TIMEOUT

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PRIVATE

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_RESOLVE_PUBLIC

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_REFRESH_RATE

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_PATH

hashtagEF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_REFRESH_RATE