Hi there - we have setup a custom log ingestion pipeline from our DNS server running Bind. We had have an existing fleet agent running on that server, so we opted to add a custom pipeline with a grok for Bind9 logs. I am wondering if anyone has found a good way to resolve the time format of Bind9 logs (DD-MMM-YYYY HH:MM:SS.MS) into iso 8601. Also looking for help adding the fields of the DNS into the ECS, some are obvious but others are not.
Here is a copy of our current grok:
%{GREEDYDATA:event.created}\s*%{WORD:meta.type:query}[:]\s*%{WORD:meta.log_level}: client @0x%{DATA:client.object_identifier}\s*%{IP:client.ip}#%{DATA:client.port}\s*(%{DATA:dns.question.name}): view %{WORD:query_info.query_view}: %{WORD:dns.type:query}: %{DATA:query_info.query_name} %{WORD:dns.answers.class} %{WORD:dns.question.type} %{DATA:query_info.RD_Flag} (%{IP:query_info.responding_server_ip})