topic Re: How can I extract a domain name from a Windows 2008 DNS Debug Log in Getting Data In

How can I extract a domain name from a Windows 2008 DNS Debug Log

bill_dishman — Wed, 24 Oct 2012 18:04:12 GMT

New to SPLUNK but so far its great!

I have a Windows 2008 DNS debug log that contains domain names. I need to define a field DOMAIN so I can extract these domain names and compare them to a watchlist of known botnet domains. Nothing new i dont think. My records look like below.

My10/24/2012 1:46:58 PM 077C PACKET 0000000003AF6580 UDP Rcv 10.41.72.18 31a0 Q [0001 D NOERROR] A .ixa-mar11.global.amec.com.

10/24/2012 1:44:00 PM 077C PACKET 0000000003A0DB50 UDP Snd 195.59.44.133 1275 Q [1000 NOERROR] A .fpdownload.macromedia.com.edgekey.net.

I am trying to use the built in SPLUNK > Extract Fields but it has a problem with the variable length domain names. I cannot generate a REGEX command to do this for me to save me. Since the domain names can be variable in lenght i just cant get it.

Any help would be tremedously appreciated.

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bmacias84 — Wed, 24 Oct 2012 18:13:38 GMT

I would match from the right. I've tested this with Regex Buddy with sample set you provided.



.(?P<dc_name>[^\s]+)$



                                                                  start    Length

Match 1:     .ixa-mar11.global.amec.com.                       114      28

Match 2:     .fpdownload.macromedia.com.edgekey.net.       256      40

Hope this helps or gets you started.

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bill_dishman — Wed, 24 Oct 2012 18:37:33 GMT

Thanks for the help. I am really new to this. So i went back to SPLUNK>Extract and put what you have given me into the "Generated pattern (regex)" where i can EDIT it .. and I now have this:
(?i) A .(?P[^s]+)$

fieldname = your dc_name

When i APPLY this, or TEST it, it shows me my data, and hightlights the matches , but only shows me highlighted domain names but not all of them in the data set.
Sorry i dont know much about this. First time. Do you think i am good??????? Looks good.

And. Thank you very very much

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bmacias84 — Wed, 24 Oct 2012 18:52:58 GMT

Not sure if I understand what you mean by all of them in the dataset. If the field extractor is not highlighting all domain names in your data set then the regex should be rewritten/modified for your needs. Given your limited sample it dificult to build a regex for all possiblities.

I would recommend purchasing a product like RegEx Buddy and visiting http://www.regular-expressions.info which has great info. I still reference occationaly.

Sorry if I couldn't be of more assitance to you.

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bill_dishman — Wed, 24 Oct 2012 19:44:41 GMT

I just dont see my domain field in all records in a search.

56 » 10/24/110/24/2012 2:10:51 PM 077C PACKET 0000000003592E80 UDP Rcv 10.41.72.18 df51 Q [0001 D NOERROR] A .avamericas2.global.amec.com.host=ATT1-DNS1 Options| sourcetype=WINDNS Options| source=C:\dns.log Options

57 » 10/24/12
2:01:58.000 PM 10/24/2012 2:01:58 PM 077C PACKET UDP Snd 217.19.248.20 6688 Q [1000 NOERROR] A .ixa-mar11.global.amec.com.host=ATT1-DNS1 Options| sourcetype=WINDNS Options| source=C:\dns.log Options| domain=ixa-mar11.global.amec.com. Options

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bill_dishman — Wed, 24 Oct 2012 19:45:09 GMT

You have been a great help.. much closer than i was and learing a few things! take care

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bmacias84 — Mon, 28 Sep 2020 12:41:15 GMT

@bill_dishman, Here are some variations of the regex statement. Thy all work with the samples your provided from you comment and your question. Its possible you have a char or whitespace that I am not accounting for Hope this helps.

Don't foget to thumbs up or accepts answer on the board.

Cheers.



(?ims).(?P<dc_name>[^\s]+)(?:(?:\s{0})|\s+)$

(?ims)\s.{0,1}(?P[^\s]+)(?:(?:\s{0})|\s+)$

(?ims).{0,1}(?P[^\s]+)(?:(?:\s{0})|\s+)$

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

BP9906 — Tue, 12 Feb 2013 23:35:52 GMT

The problem with the above answers is that 2008 R2+ servers log in a format like:
2/12/2013 3:33:47 PM 17D4 PACKET 0000000004236180 UDP Rcv 10.1.1.1 4666 Q [0001 D NOERROR] A (4)host(9)subdomain(7)domain(3)com(0)
So you have to extract it and take into account the (#) that counts the characters provided.

Re: How can I extract a domain name from a Windows 2008 DNS Debug Log

bmacias84 — Wed, 13 Feb 2013 17:27:26 GMT

@BP9906, simply modify the regex statment to meet your needs. My regexes are only written to meet the samples provided.