Address review comments

Use event.original
Remove Z flag
Add registered_domain
Ensure destination.port is a long

x-pack/filebeat/module/zeek/dns/config/dns.yml

@@ -9,9 +9,9 @@ tags: {{.tags}}
 processors:
   - rename:
       fields:
-        - {from: message, to: log.original}
+        - {from: message, to: event.original}
   - decode_json_fields:
-      fields: [log.original]
+      fields: [event.original]
       target: zeek.dns
   - script:
       lang: javascript
@@ -34,10 +34,6 @@ processors:
             if (flag === true) {
                 evt.AppendTo("dns.header_flags", "RA");
             }
-            flag = evt.Get("zeek.dns.Z");
-            if (flag === true) {
-                evt.AppendTo("dns.header_flags", "Z");
-            }
         }
 
         function addDnsQuestionClass(evt) {
@@ -104,7 +100,7 @@ processors:
         - {from: zeek.dns.id.orig_h, to: source.address}
         - {from: zeek.dns.id.orig_p, to: source.port, type: long}
         - {from: zeek.dns.id.resp_h, to: destination.address}
-        - {from: zeek.dns.id.resp_p, to: destination.port}
+        - {from: zeek.dns.id.resp_p, to: destination.port, type: long}
         - {from: zeek.dns.uid, to: zeek.session_id}
         - {from: zeek.dns.proto, to: network.transport}
   - convert:
@@ -120,6 +116,11 @@ processors:
         - {from: zeek.dns.query, to: dns.question.name}
         - {from: zeek.dns.qtype_name, to: dns.question.type}
         - {from: zeek.dns.rcode_name, to: dns.response_code}
+  - registered_domain:
+      ignore_missing: true
+      ignore_failure: true
+      field: dns.question.name
+      target_field: dns.question.registered_domain
 {{ if .community_id }}
   - community_id: ~
 {{ end }}

x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json

@@ -25,16 +25,17 @@
         "dns.id": 15209,
         "dns.question.class": "IN",
         "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io",
+        "dns.question.registered_domain": "es.io",
         "dns.question.type": "A",
         "dns.response_code": "NOERROR",
         "event.dataset": "zeek.dns",
         "event.duration": 76967000,
         "event.id": "CAcJw21BbVedgFnYH3",
         "event.module": "zeek",
+        "event.original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":15209,\"rtt\":0.076967,\"query\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"proxy-production-us-west1.gcp.cloud.es.io\",\"proxy-production-us-west1-v1-009.gcp.cloud.es.io\",\"35.199.178.4\"],\"TTLs\":[119.0,119.0,59.0],\"rejected\":false}",
         "fileset.name": "dns",
         "input.type": "log",
         "log.offset": 0,
-        "log.original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":15209,\"rtt\":0.076967,\"query\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"proxy-production-us-west1.gcp.cloud.es.io\",\"proxy-production-us-west1-v1-009.gcp.cloud.es.io\",\"35.199.178.4\"],\"TTLs\":[119.0,119.0,59.0],\"rejected\":false}",
         "network.community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=",
         "network.transport": "udp",
         "service.type": "zeek",