Formatting Windows DNS logs


(Dave Foster) #1

I'm successfully using filebeat to ship DNS debug logs from our Windows DC servers to elk. I've finally figured out turning off 'analyzed' on the domain name field so that the name isn't broken into chunks (ie Microsoft.com became 'microsoft' and 'com'. Now I'm at a stage where I need to format the name to remove the numbers in the name

(7)outlook(9)office365(3)com(0)

Can anyone help me with this? If you need any logs just let me know...thx


(Andrew Kroh) #2

I think you could use the Logstash mutate filter's gsub to remove the numbers. Here's an untested example (it may need some escaping).

filter {
  mutate {
    gsub => [
      "domain_name_field", "(\d+)", "."
    ]
  }
}

(Dave Foster) #3

First off....I huge thankyou. I'm no coder so the simplest things seem difficult..haha. Here is what I did as well as the results:

filter {
  mutate {
    gsub => [
      "dns_query_name", "(\d+)", "."
    ]
  }
}
filter {
  mutate {
    gsub => [
      "dns_query_name", "\(", ""
    ]
  }
}
filter {
  mutate {
    gsub => [
      "dns_query_name", "\)", ""
    ]
  }
}

Probably really unorthodox but it removed the brackets :slight_smile: I'm guessing I can probably do all the formatting on one line?

So something like:

(3)www(6)office(4)live(3)com(0)

became:

.www.office.live.com.

I do see some strange entries with too many dots but this is a huge improvement THANKYOU

Dave


(Andrew Kroh) #4

I think I understand what you need a little better now.

filter {
  mutate {
    gsub => [
      # Remove leading (n)
      "dns_query_name", "^\(\d+\)", "",
      # Remove trailing (n)
      "dns_query_name", "\(\d+\)$", "",
      # Replace inner (n)
      "dns_query_name", "\(\d+\)", "."
    ]
  }
}

That should change

(3)www(6)office(4)live(3)com(0)

to

www.office.live.com

If you need an custom analyzer for DNS names to make them searchable (i.e. search live.com and get back matching sub-domains like www.office.live.com) then you can adapt this index template to your needs. You would need to change the index name and modify the mappings section apply the analyzer to your dns_query_name field.


(Dave Foster) #5

This worked perfectly. It cleaned up all the mess from the way I was trying to do it :slight_smile: I may try making it searchable in the future. For now, this is all I need. Thx for you help :slight_smile:

Dave


(system) #6