punisherVX
commented
5 years ago This is fixable by using the DATA grok regex pattern rather than the HOSTNAME. See this for more explanation on the patterns used by grok.
This will only be done on the dns-cloud as we are already seeing underscores in domains in a few customers that are running the SFN4.0 alpha.
This will NOT be changed in content or EDL based parsers because we never see this as a problem. Probably because nobody is looking for it and it doesn't wind up in either the content or the EDLs.
When logstash encounters a THREAT DNS event, it should put the domain name in the SFN.domainname field in the ES threat* index. However, if the event DNS lookup is to a domain with underscores ( ) in it, it does not create that field and SFN code throws an error.
Example domain that broke it: _adsp._domainkey.ecopromconsalting.ru