topic Re: How to search Windows DNS logs for FQDN? in Splunk Search

How to search Windows DNS logs for FQDN?

CarolinasFan — Thu, 29 Jan 2015 19:38:55 GMT

Splunk has our Windows DNS lookups as image(7)site(3)com. How do I search for image.site.com?

Re: How to search Windows DNS logs for FQDN?

reswob4 — Thu, 29 Jan 2015 20:04:03 GMT

This is the method I used to set up the DNS in splunk and it works very nicely

http://stratumsecurity.com/2012/07/03/splunk-security/

Re: How to search Windows DNS logs for FQDN?

CarolinasFan — Thu, 29 Jan 2015 20:25:20 GMT

Thanks - I may be missing something, but is there a way I can format the search criteria without changing how the DNS is indexed?

Re: How to search Windows DNS logs for FQDN?

reswob4 — Thu, 29 Jan 2015 20:52:34 GMT

First question, to make sure we are on the same page: Are you collecting the DNS Trace Logs? If not, you won't be able to do the searches you are talking about. Searching against the logs Windows DNS records in its own eventlogs won't get you much information.

Now, if you are collecting the DNS trace logs, here's what I did:

Based on the link above, I created two field extractions:

(from my props.conf)
EXTRACT-Domain = (?i) .*? .(?P[-a-zA-Z0-9@:%_+.~#?;//=]{2,256}.[a-z]{2,6})
EXTRACT-src = (?i) Rcv (?P\d+.\d+.\d+.\d+)

These allow me to search by FQDN right in splunk.

If you want to search directly without changing how it's indexed, you may be able to leverage the regex above in the search parameters.

I suggest you create these under FIELDS --> FIELD EXTRACTIONS for whatever sourcetype is collecting your DNS Trace logs.

Re: How to search Windows DNS logs for FQDN?

delink — Wed, 09 Sep 2015 18:58:14 GMT

If you want to get a correct field in place without having to modify the existing log file at index-time the way the other answer specifies, you will want to use the following field extraction in props.conf based on the TA included with the Windows Infrastructure app on Splunkbase. You can apply this eval statement to any sourcetype if you've brought in your DNS logs some other way.

[MSAD:NT6:DNS]
EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".")

This will replace all of the numbers in parentheses with dots, then trim the dots from the beginning and end so it will match how FQDN is usually represented in other apps and threat lists for correlation.

Re: How to search Windows DNS logs for FQDN?

trevorQmulos — Tue, 11 Jul 2017 00:04:04 GMT

reswob4, any chance you can share the information from this site? Looks like its currently down and I am also trying to get rid of the (3) etc from my DNS logs.

Re: How to search Windows DNS logs for FQDN?

reswob4 — Thu, 13 Jul 2017 17:22:13 GMT

Whoa.. That whole site is gone.

Thank God for Internet Archive:

http://web.archive.org/web/20120717052050/http://www.stratumsecurity.com:80/2012/07/03/splunk-security/