ipv6 dns does not work

[briner]

Hello,
My logstash indexers are running on double stacked (ipv4, ipv6). My resolv.conf is configured with ipv6 nameservers.

I must tell an ipv4 nameserver to have "dns" filter working. Worst with ipv6 nameserver, I did not read any problem from the logs !

[guyboertje]

@briner - please provide more details.
For all general issues, please provide the following details for fast resolution:

• Version:
• Operating System:
• Config File (if you have sensitive info, please remove it):
• Sample Data:
• Steps to Reproduce:

[briner]

• version:

dpkg -l logstash
  # ii  logstash                      1:2.3.2-1           all                 An extensible logging pipeline

• operating system:

uname -a
  # Linux lunielkidx02 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) x86_64 GNU/Linux

cat /etc/issue
  # Debian GNU/Linux 8 \n \l

lsb_release -a
  # No LSB modules are available.
  # Distributor ID: Debian
  # Description:    Debian GNU/Linux 8.2 (jessie)
  # Release:    8.2
  # Codename:   jessie

• config file:

cat filter_it_network.conf 
  # filter {
  #   if [unige_group] == "IT-network" or [type] == "it-network" {
  #     mutate{
  #       add_field => {"hostname" => "%{host}"}
  #     }
  #     dns {
  # #      nameserver => "2001:620:600:4::6"
  #       nameserver => "129.194.4.32"
  #       reverse => [ "hostname" ]
  #       action => replace
  #      }
  #     grok {
  #       match => { "message" => "%{SYSLOG5424PRI}%{NUMBER:log_sequence#}: %{SYSLOG5424SD}: %{CISCOTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}" }
  #       tag_on_failure => []
  #    }
  #    grok {
  #      match => { "message" => "%{SYSLOG5424PRI}%{NUMBER:log_sequence#}: %{SYSLOG5424SD}: %{CISCOTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}" }
  #    }
  #     mutate {
  #       gsub => [
  #         "severity_level", "0", "0 - Emergency",
  #         "severity_level", "1", "1 - Alert",
  #         "severity_level", "2", "2 - Critical",
  #         "severity_level", "3", "3 - Error",
  #         "severity_level", "4", "4 - Warning",
  #         "severity_level", "5", "5 - Notification",
  #         "severity_level", "6", "6 - Informational"
  #       ]
  #     }
  #   }
  # }

• json data

{
  "_index": "it-network-2016.05.30",
  "_type": "it-network",
  "_id": "AVUAutos-0iqUshyi21U",
  "_score": 1,
  "_source": {
    "message": [
      "<188>19495: [syslog@9 s_id =\"sw-dufour-e1:514\"]: May 30 10:14:52: %C4K_HWPORTMAN-4-BLOCKEDTXQUEUE: Blocked transmit queue HwTxQId4 on Switch Phyport Gi3/20, count=57503",
      "Blocked transmit queue HwTxQId4 on Switch Phyport Gi3/20, count=57503"
    ],
    "@version": "1",
    "@timestamp": "2016-05-30T08:14:53.143Z",
    "type": "it-network",
    "host": "10.12.224.51",
    "tags": [
      "_grokparsefailure_sysloginput",
      "_grokparsefailure"
    ],
    "priority": 0,
    "severity": 0,
    "facility": 0,
    "facility_label": "kernel",
    "severity_label": "Emergency",
    "hostname": "10.12.224.51",
    "syslog5424_pri": "188",
    "log_sequence": "19495",
    "log_date": "May 30 10:14:52",
    "severity_level": "4 - Warning",
    "facility_mnemonic": "BLOCKEDTXQUEUE",
    "from_indexer": "lunielkidx01"
  },
  "fields": {
    "@timestamp": [
      1464596093143
    ]
  }
}

• steps to reproduce
  • change the nameserver entry with the ipv4 entry