I am trying to use the Splunk for DNS App. Most of the saved searches work based on a regexp which searches for a "DNS_Type"-field. I guess it's trying to match the type of log-message (client query, xfer, etc.) to something meaningful.
For me this regexp does not match appropriately and thus renders this App almost useless. Anyone else tried to use this app to any successful extent?
I am definatly not a regexp-pro and thus unable to fix this issue on my own. 😞
From what I guess the regexp is trying to strip off the beginning of the log-line up to the first word which is followed by a colon whereas this word is then considered the "DNS_Type". A few examples in my case would be general, database, resolver, security.
A typical bunch of log-lines would look like this:
Aug 13 19:06:57 server.domain.net Aug 13 19:06:57 server 13-Aug-2013 19:06:57.696 queries: info: client 123.123.123.123#34786: view this_view: query: some.domain.tld IN A +
Aug 13 18:38:07 server.domain.net Aug 13 18:38:07 server 13-Aug-2013 18:38:06.927 update-security: error: client 123.123.123.123#61322: view that_view: update '123.123.123.IN-ADDR.ARPA/IN' denied
Aug 13 19:02:02 server2.domain.net Aug 13 19:02:02 named[81975]: 13-Aug-2013 19:02:02.727 security: info: client 41.218.82.208#60393: view that_view: query (cache) 'some.domain.tld/A/IN' denied
Aug 13 19:02:02 server2.domain.net Aug 13 19:02:02 named[81975]: 13-Aug-2013 19:02:02.532 resolver: debug 1: createfetch: 123.123.123.123.in-addr.arpa PTR
Aug 13 18:57:59 server2.domain.net Aug 13 18:57:59 named[81975]: 13-Aug-2013 18:57:59.963 xfer-in: info: transfer of 'domain.tld/IN/this_view' from 123.123.123.123#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Any help to fix that regexp would be appreciated.
Your sample log entries doesn’t contain named in the prefix for query or update. ALL log transaction from the DNS server MUST be prefixed with BIND-DNS, otherwise the application will not work.
This seems to work
(?:\d{2}:\d{2}:\d{2}.\d{3}\s)(?P
that seems to be working. will see how it integrates into the app. thank you!
Oh I see what happened. The forum system removed the back slashes. Put them in front of the d's, the period, the s and the colons. I pasted it again below but with double slashes this time to see if it posts it properly.
(?:\d{2}\:\d{2}\:\d{2}\.\d{3}\s)(?P
I tried to run this against my logs. Not one single match unfortuneatly.