All Apps and Add-ons

Defining the multiple source type from single file (we are using the add-on Splunk Add-on for ISC BIND)

sumitkathpal
Explorer

Hi All,

As per Splunk Add-on for ISC BIND dns query and dns errors logs should be in different file however we have single file which has query and error logs together .

Issue is what sourcetype should we define so that sourcetype are tagged based on the query or error logs.

Current scenario :
query logs and error logs are written into single file . Let's say dns.logs

Now in input.conf on Heavy Forwader

[monitor:///opt/syslog-data/dnsserver/dns.log]
host_regex = .\/(.)\/\d\d\d\d-\d\d-\d\d.log
sourcetype = [what sourcetype should i define here ]

props.conf

[isc:bind:query]
REPORT-1_extract_field = isc_bind_query_extract_field_0
EVAL-message_type = "Query"
EVAL-query_type = "Query"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:queryerror]
REPORT-1_extract_field = isc_bind_queryerror_extract_field_0
EVAL-message_type = "Response"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-4_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

[isc:bind:lameserver]
REPORT-1_extract_field = isc_bind_lameserver_extract_field_0
EVAL-app = "ISC:Bind"
EVAL-type = "alert"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:network]
REPORT-1_extract_field = isc_bind_network_extract_field_0
REPORT-3_extract_field = isc_bind_network_extract_field_2
EVAL-ip = CASE(match(ip, "::"), "127.0.0.1", match(ip, ".*"), ip)
LOOKUP-4_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-5_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-6_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action

[isc:bind:transfer]
REPORT-1_extract_field = isc_bind_transfer_extract_field_0
REPORT-3_extract_field = isc_bind_transfer_extract_field_2
REPORT-5_extract_field = isc_bind_transfer_extract_field_4
REPORT-7_extract_field = isc_bind_transfer_extract_field_6
EVAL-message_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Query", match(vendor_action, "notify response from"), "Response")
EVAL-query_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Notify")
EVAL-vendor_product = "ISC:Bind"
LOOKUP-8_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-9_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-10_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action
LOOKUP-11_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

transforms.conf

[isc_bind_query_extract_field_0]
REGEX = (?:\s+queries:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5})(?:\s+([^)]+))?:(?:\s+view\s+[^:]+:)?\s+query:\s+(?([\w-.:]{1,100}))?\s+([^\s]+)\s+([^\s]+)\s++-\s+(([\w-.:]{1,100}))$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 query::$4 record_class::$5 record_type::$6 flag::$7 dest::$8

[isc_bind_queryerror_extract_field_0]
REGEX = (?:\s+query-errors:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5}):(?:\s+view\s+[^:]+:)?\s+query\s+failed\s+(([^)]+))\s+for\s+([\w-.:]{1,100})/([^/]+)/([^\s]+)\s+at\s+([^:]+):(\d+)$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 response_code::$4 query::$5 record_class::$6 record_type::$7 file_name::$8 file_location::$9

[isc_bind_lameserver_extract_field_0]
REGEX = (?:\s+lame-servers:)?(?:\s+([^:]+):)?\s+(error\s+(([^)]+))\s+resolving\s+'([\w-.:]{1,100})/([^/]+)/([^']+)':\s+([\w-.:]{1,100})#(\d{1,5}))$
FORMAT = vendor_severity::$1 body::$2 error_type::$3 query::$4 record_type::$5 record_class::$6 dest::$7 dest_port::$8

[isc_bind_network_extract_field_0]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(no\s+longer\s+listening\s+on)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 ip::$3 port::$4

[isc_bind_network_extract_field_2]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(listening\s+on)\s+([^\s]+)\s+interface\s+([^,]+),\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 proto::$3 interface::$4 ip::$5 port::$6

[isc_bind_transfer_extract_field_0]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notifies)\s+(serial\s+([^)]+))$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 serial_number::$5

[isc_bind_transfer_extract_field_2]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6

[isc_bind_transfer_extract_field_4]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})(?:[^:]:)\s+(.)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6 detail::$7

[isc_bind_transfer_extract_field_6]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+response\s+from)\s+([\w-.:]{1,100})#(\d{1,5}):\s+(.*)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 src::$5 src_port::$6 response_code::$7

[isc_bind_severities_lookup]
filename = isc_bind_severities.csv

[isc_bind_category_lookup]
filename = isc_bind_category.csv

[isc_bind_reply_code_lookup]
filename = isc_bind_reply_code.csv

[isc_bind_action_lookup]
filename = isc_bind_action.csv

Thanks in advance

0 Karma

sumitkathpal
Explorer

Help................

0 Karma

sumitkathpal
Explorer

Help required @elliotproebstel

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...