Hy guys!
I would approciate it if somebody could help me in this problem!
I have DNS server logs, here is how it look:
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 client 193.224.130.162#35702 (50.208.85.209.bl.spamcop.net): query: 50.208.85.209.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 queries: info: client 193.224.130.162#35702 (50.208.85.209.bl.spamcop.net): query: 50.208.85.209.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 client 193.224.130.162#44752 (70.129.224.193.bl.spamcop.net): query: 70.129.224.193.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.456 queries: info: client 193.224.130.162#44752 (70.129.224.193.bl.spamcop.net): query: 70.129.224.193.bl.spamcop.net IN TXT +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.459 client 193.224.130.162#18366 (1.128.224.193.list.dnswl.org): query: 1.128.224.193.list.dnswl.org IN A +ED (193.225.151.67)
Oct 19 10:34:39 10.9.0.1 named[24799]: 19-Oct-2018 10:34:39.459 queries: info: client 193.224.130.162#18366 (1.128.224.193.list.dnswl.org): query: 1.128.224.193.list.dnswl.org IN A +ED (193.225.151.67)
Oct 19 10:34:40 10.9.0.1 named[24799]: 19-Oct-2018 10:34:40.238 client 10.9.0.7#58542 (in.appcenter.ms): query: in.appcenter.ms IN A + (10.9.0.1)
Oct 19 10:34:40 10.9.0.1 named[24799]: 19-Oct-2018 10:34:40.238 queries: info: client 10.9.0.7#58542 (in.appcenter.ms): query: in.appcenter.ms IN A + (10.9.0.1)
and because all the lines is not similar to each other, I'm not sure how to handle it with grok or dissect..
What i'm interesting in: The date, The server IP (10.9.0.1), The client IP, and what kind of URL was needed for the client.
Thanks for reading and you help!