All Apps and Add-ons

Defining the multiple source type from single file (we are using the add-on Splunk Add-on for ISC BIND)

sumitkathpal
Explorer

Hi All,

As per Splunk Add-on for ISC BIND dns query and dns errors logs should be in different file however we have single file which has query and error logs together .

Issue is what sourcetype should we define so that sourcetype are tagged based on the query or error logs.

Current scenario :
query logs and error logs are written into single file . Let's say dns.logs

Now in input.conf on Heavy Forwader

[monitor:///opt/syslog-data/dnsserver/dns.log]
host_regex = .\/(.)\/\d\d\d\d-\d\d-\d\d.log
sourcetype = [what sourcetype should i define here ]

props.conf

[isc:bind:query]
REPORT-1_extract_field = isc_bind_query_extract_field_0
EVAL-message_type = "Query"
EVAL-query_type = "Query"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:queryerror]
REPORT-1_extract_field = isc_bind_queryerror_extract_field_0
EVAL-message_type = "Response"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-4_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

[isc:bind:lameserver]
REPORT-1_extract_field = isc_bind_lameserver_extract_field_0
EVAL-app = "ISC:Bind"
EVAL-type = "alert"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:network]
REPORT-1_extract_field = isc_bind_network_extract_field_0
REPORT-3_extract_field = isc_bind_network_extract_field_2
EVAL-ip = CASE(match(ip, "::"), "127.0.0.1", match(ip, ".*"), ip)
LOOKUP-4_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-5_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-6_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action

[isc:bind:transfer]
REPORT-1_extract_field = isc_bind_transfer_extract_field_0
REPORT-3_extract_field = isc_bind_transfer_extract_field_2
REPORT-5_extract_field = isc_bind_transfer_extract_field_4
REPORT-7_extract_field = isc_bind_transfer_extract_field_6
EVAL-message_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Query", match(vendor_action, "notify response from"), "Response")
EVAL-query_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Notify")
EVAL-vendor_product = "ISC:Bind"
LOOKUP-8_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-9_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-10_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action
LOOKUP-11_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

transforms.conf

[isc_bind_query_extract_field_0]
REGEX = (?:\s+queries:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5})(?:\s+([^)]+))?:(?:\s+view\s+[^:]+:)?\s+query:\s+(?([\w-.:]{1,100}))?\s+([^\s]+)\s+([^\s]+)\s++-\s+(([\w-.:]{1,100}))$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 query::$4 record_class::$5 record_type::$6 flag::$7 dest::$8

[isc_bind_queryerror_extract_field_0]
REGEX = (?:\s+query-errors:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5}):(?:\s+view\s+[^:]+:)?\s+query\s+failed\s+(([^)]+))\s+for\s+([\w-.:]{1,100})/([^/]+)/([^\s]+)\s+at\s+([^:]+):(\d+)$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 response_code::$4 query::$5 record_class::$6 record_type::$7 file_name::$8 file_location::$9

[isc_bind_lameserver_extract_field_0]
REGEX = (?:\s+lame-servers:)?(?:\s+([^:]+):)?\s+(error\s+(([^)]+))\s+resolving\s+'([\w-.:]{1,100})/([^/]+)/([^']+)':\s+([\w-.:]{1,100})#(\d{1,5}))$
FORMAT = vendor_severity::$1 body::$2 error_type::$3 query::$4 record_type::$5 record_class::$6 dest::$7 dest_port::$8

[isc_bind_network_extract_field_0]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(no\s+longer\s+listening\s+on)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 ip::$3 port::$4

[isc_bind_network_extract_field_2]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(listening\s+on)\s+([^\s]+)\s+interface\s+([^,]+),\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 proto::$3 interface::$4 ip::$5 port::$6

[isc_bind_transfer_extract_field_0]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notifies)\s+(serial\s+([^)]+))$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 serial_number::$5

[isc_bind_transfer_extract_field_2]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6

[isc_bind_transfer_extract_field_4]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})(?:[^:]:)\s+(.)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6 detail::$7

[isc_bind_transfer_extract_field_6]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+response\s+from)\s+([\w-.:]{1,100})#(\d{1,5}):\s+(.*)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 src::$5 src_port::$6 response_code::$7

[isc_bind_severities_lookup]
filename = isc_bind_severities.csv

[isc_bind_category_lookup]
filename = isc_bind_category.csv

[isc_bind_reply_code_lookup]
filename = isc_bind_reply_code.csv

[isc_bind_action_lookup]
filename = isc_bind_action.csv

Thanks in advance

0 Karma

sumitkathpal
Explorer

Help................

0 Karma

sumitkathpal
Explorer

Help required @elliotproebstel

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...