DNS Sink hole logstash config file filter


(R) #1

Hi Guys,

I have pfsense 2.3 and have configured DNS resolver or sinkhole on the same. In short I have zone files which when query is matched that request will be sinkholed. This procedure is absolutely fine now I need to collect those logs and present a nice dashboard but before that I need to build logstash config file.

Can some one plss help me with logstash config file for below logs? I am completely clueless here.

Here are the DNS resolver logs.

Time Process PID Message
Sep 3 19:41:58 named 33194 queries: info: client @0x803066200 192.168.5.103#62054 (cisco.com): view cleandns: query: cisco.com IN A +E(0)K (192.168.5.25)
Sep 3 19:41:45 named 33194 queries: info: client @0x80306d000 192.168.5.103#62977 (gmail.com): view cleandns: query: gmail.com IN MX +E(0)K (192.168.5.25)
Sep 3 19:21:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59761 (zzzha.com): view cleandns: query: zzzha.com IN A +E(0)K (192.168.5.25)
Sep 3 19:19:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59564 (zzztech.com): view cleandns: query: zzztech.com IN AAAA + (192.168.5.25)
Sep 3 19:19:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59563 (zzztech.com): view cleandns: query: zzztech.com IN A + (192.168.5.25)
Sep 3 19:19:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59562 (zzztech.com): view cleandns: query: zzztech.com IN AAAA + (192.168.5.25)
Sep 3 19:19:16 named 33194 queries: info: client @0x803066200 192.168.5.103#59561 (zzztech.com): view cleandns: query: zzztech.com IN A + (192.168.5.25)


(Magnus Bäck) #2

What's the expected result of parsing these logs?


(R) #3

Well, for time being I would like to collect domain names which are queried and then client who is querying that is IP address just before # like 192.168.5.103#59562

So I need to know here

Domains
TYpe i.e. A, MX, AAAA,
Client IP

In these logs zzzha.com is a malicious domain queried by 192.168.5.103.


(Magnus Bäck) #4

Have you look into the grok filter? If you're not familiar with grok expressions (which are essentially regular expressions) you can use the grok constructor web site.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.