Hi All,
I would have a question about parsing the logs from DNS server logs.
Sample of DNS logs:
message: 3. 11. 2019 12:33:14 0958 PACKET 000000C97B8371C0 UDP Snd 192.168.5.202 4cbf Q [0000 NOERROR] SOA (4)mell(2)com(0)
GROK:
%{MS_DNS_DATE:date}\s+%{TIME:time}\s+%{DATA:thread_id}\s+%{WORD:record_type}\s+%{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+%{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}
It was successfully parsed. I am using \s+ to catch one or more spaces. I dont undersand why following message is parsed wrong.
-
- 2019 19:31:12 A08 Note: got GQCS failure on a dead socket context status=995, socket=532, pcon=000000C9772D4180, state=-1, IP=0.0.0.0
%{MS_DNS_DATE:date}\s+%{TIME:time}\s+%{DATA:thread_id}\s+%{WORD:record_type}\s+%{GREEDYDATA:description}
Result of this is:
{
"date": "2. 11. 2019",
"thread_id": "A08 Note:",
"description": "GQCS failure on a dead socket context status=995, socket=532, pcon=000000C9772D4180, state=-1, IP=0.0.0.0",
"time": "19:31:12",
"record_type": "got"
}
there is a space between A08 and Note: So it should parse it to fields:
thread_id: A08
record_type: Note:
Thanks
Jan