Unstructured DNS logs to grok or dissect

bternyak · October 19, 2018, 9:41am

Hy guys!

I would approciate it if somebody could help me in this problem!
I have DNS server logs, here is how it look:

Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 client 193.224.130.162#35702 (50.208.85.209.bl.spamcop.net): query: 50.208.85.209.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 queries: info: client 193.224.130.162#35702 (50.208.85.209.bl.spamcop.net): query: 50.208.85.209.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 client 193.224.130.162#44752 (70.129.224.193.bl.spamcop.net): query: 70.129.224.193.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 queries: info: client 193.224.130.162#44752 (70.129.224.193.bl.spamcop.net): query: 70.129.224.193.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.459 client 193.224.130.162#18366 (1.128.224.193.list.dnswl.org): query: 1.128.224.193.list.dnswl.org IN A +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.459 queries: info: client 193.224.130.162#18366 (1.128.224.193.list.dnswl.org): query: 1.128.224.193.list.dnswl.org IN A +ED (193.225.151.67)
Oct 19 10:34:40 10.9.0.1 named[24799]: 19-Oct-2018 10:34:40.238 client 10.9.0.7#58542 (in.appcenter.ms): query: in.appcenter.ms IN A + (10.9.0.1)
Oct 19 10:34:40 10.9.0.1 named[24799]: 19-Oct-2018 10:34:40.238 queries: info: client 10.9.0.7#58542 (in.appcenter.ms): query: in.appcenter.ms IN A + (10.9.0.1)

and because all the lines is not similar to each other, I'm not sure how to handle it with grok or dissect..
What i'm interesting in: The date, The server IP (10.9.0.1), The client IP, and what kind of URL was needed for the client.

Thanks for reading and you help!

Makra · October 19, 2018, 12:45pm

All log lines that you have mentioned will fall in the following pattern, you can further refine it from the performance point of view by removing the GREEDYDATA part from it.

%{MONTH:month} %{MONTHDAY:month_day} %{HOUR:hour}\:%{MINUTE:min}\:%{SECOND:sec} %{IPORHOST:Server_IP} %{GREEDYDATA} client %{IPORHOST:Client_IP}\#%{GREEDYDATA} query: %{GREEDYDATA:URL}

bternyak · October 19, 2018, 1:10pm

Thank you so much for your help Makra!!

system · November 16, 2018, 1:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to parse DNS log Logstash	1	840	July 26, 2017
DNS Sinkhole Grok filter,need your help Logstash	1	759	September 8, 2017
BIND DNS Pattern Logstash	9	6255	July 6, 2017
My bind9 dns logs dont look like your dns logs, is it filebeat? logstash? Logstash	1	369	July 3, 2019
Grok Pattern DNS Querys send via syslogd Logstash	2	1593	February 5, 2018

Unstructured DNS logs to grok or dissect

Related topics