Hi Guys,
I am bit stuck up in parsing BIND DNS logs and need help since something is wrong and patterns are not being matched.
Here is the log
27-Nov-2017 18:57:19.747 client 10.1.1.10#53338 (ericweb.co.za): query: ericweb.co.za IN A +E (10.1.1.33)
and here are my parsers
(?%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) client %{IPORHOST:clientip}#%{NUMBER:port}: query: (?[a-z0-9-]+.[a-z0-9-]+\S+) IN %{WORD:recType} + (%{IPORHOST:DNSIP})
Can someone please help?
It looks like you've forgotten to match " (ericweb.co.za)" between the port number and "query: ".
Hmm..have facing challenges and need help with. I am not able to map DAYMONTH which is beginning at the line. And then brackets at the end for IP addresses.
client 10.1.1.10#53338 (ericweb.co.za): query: ericweb.co.za IN A (10.1.1.33)
client %{IPV4:clientip}#%{POSINT:clientport} (%{GREEDYDATA:query}): query: %{GREEDYDATA:Target} IN %{GREEDYDATA:querytype} (%{IPV4:src_ip}) --> This does not match
And with this
client 10.1.1.10#53338 (ericweb.co.za): query: ericweb.co.za IN A 10.1.1.33
It matches perfectly -->
client %{IPV4:clientip}#%{POSINT:clientport} (%{GREEDYDATA:query}): query: %{GREEDYDATA:Target} IN %{GREEDYDATA:querytype} (%{IPV4:src_ip})
Any clue how do I match dates & those brackets?
OK Able to resolve my second issue with this
client %{IPV4:clientip}#%{POSINT:clientport} (%{GREEDYDATA:query}): query: %{GREEDYDATA:Target} IN %{GREEDYDATA:querytype} ((%{IPV4:src_ip}))
Now the only issue is with date
I guess even that worked
%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} client %{IPV4:clientip}#%{POSINT:clientport} (%{GREEDYDATA:query}): query: %{GREEDYDATA:Target} IN %{GREEDYDATA:querytype} ((%{IPV4:src_ip}))
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.