DNS Sink hole logstash config file filter

Blason · September 3, 2017, 2:25pm

Hi Guys,

I have pfsense 2.3 and have configured DNS resolver or sinkhole on the same. In short I have zone files which when query is matched that request will be sinkholed. This procedure is absolutely fine now I need to collect those logs and present a nice dashboard but before that I need to build logstash config file.

Can some one plss help me with logstash config file for below logs? I am completely clueless here.

Here are the DNS resolver logs.

Time Process PID Message
Sep 3 19:41:58 named 33194 queries: info: client @0x803066200 192.168.5.103#62054 (cisco.com): view cleandns: query: cisco.com IN A +E(0)K (192.168.5.25)
Sep 3 19:41:45 named 33194 queries: info: client @0x80306d000 192.168.5.103#62977 (gmail.com): view cleandns: query: gmail.com IN MX +E(0)K (192.168.5.25)
Sep 3 19:21:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59761 (zzzha.com): view cleandns: query: zzzha.com IN A +E(0)K (192.168.5.25)
Sep 3 19:19:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59564 (zzztech.com): view cleandns: query: zzztech.com IN AAAA + (192.168.5.25)
Sep 3 19:19:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59563 (zzztech.com): view cleandns: query: zzztech.com IN A + (192.168.5.25)
Sep 3 19:19:17 named 33194 queries: info: client @0x80306d000 192.168.5.103#59562 (zzztech.com): view cleandns: query: zzztech.com IN AAAA + (192.168.5.25)
Sep 3 19:19:16 named 33194 queries: info: client @0x803066200 192.168.5.103#59561 (zzztech.com): view cleandns: query: zzztech.com IN A + (192.168.5.25)

magnusbaeck · September 4, 2017, 5:35am

What's the expected result of parsing these logs?

Blason · September 4, 2017, 6:00am

Well, for time being I would like to collect domain names which are queried and then client who is querying that is IP address just before # like 192.168.5.103#59562

So I need to know here

Domains
TYpe i.e. A, MX, AAAA,
Client IP

In these logs zzzha.com is a malicious domain queried by 192.168.5.103.

magnusbaeck · September 4, 2017, 11:18am

Have you look into the grok filter? If you're not familiar with grok expressions (which are essentially regular expressions) you can use the grok constructor web site.

system · October 2, 2017, 11:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.