How to split DNS request and retrive the domain

mikygee · August 15, 2017, 8:38am

Hello,

I've got a configuration that seems to work fine

filter {
  if [program] == "named" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
        match => [ "message", "%{BIND9}" ]
        tag_on_failure => ["named_parsing_failed"]
        remove_tag => ["_grokparsefailure"]
        add_tag => ["DNS"]
    }
  }
}
---
BIND9 client (%{IPV4:dns_client_ip})#(%{NONNEGINT:dns_uuid})?.*query: (%{HOSTNAME:dns_dest}) (%{WORD:dns_type}) (%{WORD:dns_record})?.*\((%{IPV4:dns_server})\)

But ! retrieve the field dns_dest = play.google.com and I would like to isolate the domain google.com
I'd prefer not to touch the grok pattern and keep dns_dest, and using it thereafter to extract the domain.

How should I do that ?

Thank you

mikygee · August 17, 2017, 11:46am

I've tried to insert a new grok stanza but it doesn't work. In my test I just try to extract the tld field

filter {
  if [program] == "named" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
        match => [ "message", "%{BIND9}" ]

    grok {
      match => [ "dns_record", ".*\.%{WORD:tld}$" ]
    }

        tag_on_failure => ["named_parsing_failed"]
        remove_tag => ["_grokparsefailure"]
        add_tag => ["DNS"]
    }
  }
}

Should I use grok ? or kv ?

system · September 14, 2017, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split field in elastic Logstash	7	284	July 15, 2021
Extract domain with grok Logstash	2	752	January 13, 2022
Grok patterns for BIND DNS server Logstash	5	4715	July 6, 2017
Split FQDN Logstash	3	899	March 9, 2021
Split grok pattern Logstash	3	2827	July 6, 2017

How to split DNS request and retrive the domain

Related topics