Parsing DNS Logs from GCP Cloud

Elastic Stack Logstash
1

Is there a parser for the DNS logs in Logstash? I've noticed some of my logs are not being parsed, the ones with multiple lines. This shows up as a single field. How can I parse it?

jsonPayload.rdata	google.com.	299	IN	a	172.217.214.113
                    google.com.	299	IN	a	172.217.214.101
                    google.com.	299	IN	a	172.217.214.138
                    google.com.	299	IN	a	172.217.214.100
                    google.com.	299	IN	a	172.217.214.102
                    google.com.	299	IN	a	172.217.214.139
2

If you receive that as a single event and want to extract the 6 entries then you can do it using ruby and scan. See here for an example.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.