Splunk Search

How to search Windows DNS logs for FQDN?

CarolinasFan
New Member

Splunk has our Windows DNS lookups as image(7)site(3)com. How do I search for image.site.com?

Tags (4)
0 Karma

delink
Communicator

If you want to get a correct field in place without having to modify the existing log file at index-time the way the other answer specifies, you will want to use the following field extraction in props.conf based on the TA included with the Windows Infrastructure app on Splunkbase. You can apply this eval statement to any sourcetype if you've brought in your DNS logs some other way.

[MSAD:NT6:DNS]
EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".")

This will replace all of the numbers in parentheses with dots, then trim the dots from the beginning and end so it will match how FQDN is usually represented in other apps and threat lists for correlation.

reswob4
Builder

This is the method I used to set up the DNS in splunk and it works very nicely

http://stratumsecurity.com/2012/07/03/splunk-security/

trevorQmulos
New Member

reswob4, any chance you can share the information from this site? Looks like its currently down and I am also trying to get rid of the (3) etc from my DNS logs.

0 Karma

reswob4
Builder
0 Karma

CarolinasFan
New Member

Thanks - I may be missing something, but is there a way I can format the search criteria without changing how the DNS is indexed?

0 Karma

reswob4
Builder

First question, to make sure we are on the same page: Are you collecting the DNS Trace Logs? If not, you won't be able to do the searches you are talking about. Searching against the logs Windows DNS records in its own eventlogs won't get you much information.

Now, if you are collecting the DNS trace logs, here's what I did:

Based on the link above, I created two field extractions:

(from my props.conf)
EXTRACT-Domain = (?i) .*? .(?P[-a-zA-Z0-9@:%_+.~#?;//=]{2,256}.[a-z]{2,6})
EXTRACT-src = (?i) Rcv (?P\d+.\d+.\d+.\d+)

These allow me to search by FQDN right in splunk.

If you want to search directly without changing how it's indexed, you may be able to leverage the regex above in the search parameters.

I suggest you create these under FIELDS --> FIELD EXTRACTIONS for whatever sourcetype is collecting your DNS Trace logs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...