How to split DNS request and retrive the domain

mikygee · August 15, 2017, 8:38am

Hello,

I've got a configuration that seems to work fine

filter {
  if [program] == "named" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
        match => [ "message", "%{BIND9}" ]
        tag_on_failure => ["named_parsing_failed"]
        remove_tag => ["_grokparsefailure"]
        add_tag => ["DNS"]
    }
  }
}
---
BIND9 client (%{IPV4:dns_client_ip})#(%{NONNEGINT:dns_uuid})?.*query: (%{HOSTNAME:dns_dest}) (%{WORD:dns_type}) (%{WORD:dns_record})?.*\((%{IPV4:dns_server})\)

But ! retrieve the field dns_dest = play.google.com and I would like to isolate the domain google.com
I'd prefer not to touch the grok pattern and keep dns_dest, and using it thereafter to extract the domain.

How should I do that ?

Thank you

mikygee · August 17, 2017, 11:46am

I've tried to insert a new grok stanza but it doesn't work. In my test I just try to extract the tld field

filter {
  if [program] == "named" {
    grok {
        break_on_match => true
        patterns_dir => "/etc/logstash/conf.d/patterns"
        match => [ "message", "%{BIND9}" ]

    grok {
      match => [ "dns_record", ".*\.%{WORD:tld}$" ]
    }

        tag_on_failure => ["named_parsing_failed"]
        remove_tag => ["_grokparsefailure"]
        add_tag => ["DNS"]
    }
  }
}

Should I use grok ? or kv ?

system · September 14, 2017, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.