我需要为bind9 DNS日志编写一个grok过滤器。示例日志如下所示:
17-Feb-2018 23:06:56.326 queries: info: client @0x563d72c3ea20 172.26.0.1#34564 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)
我在grokconstructor上验证了以下模式,它成功匹配上面的日志:
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logdate} queries: info: client @0x.{16} %{IP:source_ip}#(?<source_port>[0-9]+) \(%{HOSTNAME:query}\): query: .*$" }
}
date {
match => ["logdate", "dd-MMM-yyyy HH:mm:ss.SSS"]
}
}
但是在Kibana上,我的日志标有_grokparsefailure并且未被解析。
答案 0 :(得分:1)
正如@baudsp建议的那样,您需要为BIND9日志创建自定义模式。为此,您首先需要知道每个字段的实际含义,
查询日志条目首先在@ 0x中报告客户端对象标识符 格式。接下来,它报告客户端的IP地址和端口号,以及 查询名称,类和类型。接下来,它报告是否递归 如果查询已签名,则设置所需标志(如果设置则为+,如果未设置) (S),EDNS与EDNS版本号(E(#))一起使用,如果 使用TCP(T),如果DO(DNSSEC Ok)设置(D),如果CD(检查 已设置(C),如果收到有效的DNS服务器COOKIE(V), 或者如果没有有效的服务器COOKIE的DNS COOKIE选项存在 (K)。在此之后,查询被发送到的目标地址是 报道。注意:这反映了BIND 9.11.0的行为。
所以对于你的BIND9查询日志,
17-Feb-2018 23:06:56.326 queries: info: client @0x563d72c3ea20 172.26.0.1#34564 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)
模式将是,
%{MONTHDAY:day}[-]%{MONTH}[-]%{YEAR}\s*%{TIME}\s*%{WORD:queries}[:]\s*%{WORD:info}[:]\s*%{WORD:client}\s*%{DATA:client_data}\s*%{IP:client_ip}[#]%{NUMBER:client_port}\s*\(%{HOSTNAME}\)[:]\s*query:\s*%{HOSTNAME:query_value}\s*%{WORD}\s*%{WORD:record_type}\s*%{NOTSPACE:misc}\s*\(%{IP:destination}\)
这将生成以下输出
{
"day": [
[
"27"
]
],
"MONTH": [
[
"Feb"
]
],
"YEAR": [
[
"2018"
]
],
"TIME": [
[
"23:06:56.326"
]
],
"HOUR": [
[
"23"
]
],
"MINUTE": [
[
"06"
]
],
"SECOND": [
[
"56.326"
]
],
"queries": [
[
"queries"
]
],
"info": [
[
"info"
]
],
"client": [
[
"client"
]
],
"client_data": [
[
"@0x563d72c3ea20"
]
],
"client_ip": [
[
"172.26.0.1"
]
],
"IPV6": [
[
null,
null
]
],
"IPV4": [
[
"172.26.0.1",
"172.26.0.3"
]
],
"client_port": [
[
"34564"
]
],
"BASE10NUM": [
[
"34564"
]
],
"HOSTNAME": [
[
"test.example.com"
]
],
"query_value": [
[
"test.example.com"
]
],
"WORD": [
[
"IN"
]
],
"record_type": [
[
"A"
]
],
"misc": [
[
"+E(0)K"
]
],
"destination": [
[
"172.26.0.3"
]
]
}