DNS Sinkhole Grok filter,need your help


(R) #1

Hi Guys,

I have a DNS Sinkhole built on pfsense and its logging DNS resolver logs. Can someone please help me with grok filters for below logs so that I can start building a good dashboards from those? Since this is sinkhole I need to find out the source IP addresses visited the malware domains or which are sinkholed which domains are contacted and other logs.

Here are other logs

Jul 27 23:19:04 labdnsdefend named[77540]: queries: info: client @0x849893a00 172.16.3.15#15049 (mirrors.tuna.tsinghua.edu.cn): view cleandns: query: mirrors.tuna.tsinghua.edu.cn IN A +E(0)D (172.16.3.44)
Jul 27 23:19:04 labdnsdefend named[77540]: general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:200::b) missing from hints
Jul 27 23:19:04 labdnsdefend named[77540]: general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints
Jul 27 23:19:10 labdnsdefend named[77540]: queries: info: client @0x804436c00 172.16.3.15#47087 (71.6.7.6.in-addr.arpa): view cleandns: query: 71.6.7.6.in-addr.arpa IN PTR +E(0)D (172.16.3.44)
Jul 27 23:19:10 labdnsdefend named[77540]: general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:200::b) missing from hints
Jul 27 23:19:10 labdnsdefend named[77540]: general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints
Jul 27 23:19:11 labdnsdefend named[77540]: queries: info: client @0x805839e00 172.16.3.15#14917 (thehackernews.com): view cleandns: query: thehackernews.com IN A +E(0)D (172.16.3.44)


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.