Hi,
we have a DNS server and send all dns queries to logstash / elastic.
The message line seems to be like this:
<30>Jan 8 12:32:35 10.243.XX.XX named[21826]: queries: client 10.243.YY.YY#43789 (111.236.ZZ.ZZ.in-addr.arpa): query: 111.236.ZZ.ZZ.in-addr.arpa IN PTR + (10.243.ZZ.ZZ)
<30>Jan 8 13:19:27 10.243.XX.XX named[21826]: queries: client 10.32.YY.YY#61494 (corppki.mydomain.dom): query: corppki.mydomain.dom IN A +ED (10.243.XX.XX)
I would split to:
- dns server
- query client
- query destination
I also would put 12:32:35 in timestamp.
I found following link:
but I don't know how to implement it.
Any Idea?
Regards