Grok Pattern DNS Querys send via syslogd

A.Klos · January 8, 2018, 11:42am

Hi,

we have a DNS server and send all dns queries to logstash / elastic.

The message line seems to be like this:

<30>Jan 8 12:32:35 10.243.XX.XX named[21826]: queries: client 10.243.YY.YY#43789 (111.236.ZZ.ZZ.in-addr.arpa): query: 111.236.ZZ.ZZ.in-addr.arpa IN PTR + (10.243.ZZ.ZZ)

<30>Jan 8 13:19:27 10.243.XX.XX named[21826]: queries: client 10.32.YY.YY#61494 (corppki.mydomain.dom): query: corppki.mydomain.dom IN A +ED (10.243.XX.XX)

I would split to:

dns server
query client
query destination

I also would put 12:32:35 in timestamp.

I found following link:

but I don't know how to implement it.

Any Idea?

Regards

murlin99 · January 8, 2018, 8:35pm

This could easily be done with a custom grok filter. This document should help with that.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

--Bryan Vest

system · February 5, 2018, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.