All Apps and Add-ons

Defining the multiple source type from single file (we are using the add-on Splunk Add-on for ISC BIND)

sumitkathpal
Explorer

Hi All,

As per Splunk Add-on for ISC BIND dns query and dns errors logs should be in different file however we have single file which has query and error logs together .

Issue is what sourcetype should we define so that sourcetype are tagged based on the query or error logs.

Current scenario :
query logs and error logs are written into single file . Let's say dns.logs

Now in input.conf on Heavy Forwader

[monitor:///opt/syslog-data/dnsserver/dns.log]
host_regex = .\/(.)\/\d\d\d\d-\d\d-\d\d.log
sourcetype = [what sourcetype should i define here ]

props.conf

[isc:bind:query]
REPORT-1_extract_field = isc_bind_query_extract_field_0
EVAL-message_type = "Query"
EVAL-query_type = "Query"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:queryerror]
REPORT-1_extract_field = isc_bind_queryerror_extract_field_0
EVAL-message_type = "Response"
EVAL-vendor_product = "ISC:Bind"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-4_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

[isc:bind:lameserver]
REPORT-1_extract_field = isc_bind_lameserver_extract_field_0
EVAL-app = "ISC:Bind"
EVAL-type = "alert"
LOOKUP-2_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-3_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category

[isc:bind:network]
REPORT-1_extract_field = isc_bind_network_extract_field_0
REPORT-3_extract_field = isc_bind_network_extract_field_2
EVAL-ip = CASE(match(ip, "::"), "127.0.0.1", match(ip, ".*"), ip)
LOOKUP-4_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-5_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-6_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action

[isc:bind:transfer]
REPORT-1_extract_field = isc_bind_transfer_extract_field_0
REPORT-3_extract_field = isc_bind_transfer_extract_field_2
REPORT-5_extract_field = isc_bind_transfer_extract_field_4
REPORT-7_extract_field = isc_bind_transfer_extract_field_6
EVAL-message_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Query", match(vendor_action, "notify response from"), "Response")
EVAL-query_type = CASE(match(vendor_action, "sending notifies|sending notify to|notify to"), "Notify")
EVAL-vendor_product = "ISC:Bind"
LOOKUP-8_look_up_extract = isc_bind_severities_lookup vendor_severity OUTPUT severity
LOOKUP-9_look_up_extract = isc_bind_category_lookup sourcetype OUTPUT vendor_category
LOOKUP-10_look_up_extract = isc_bind_action_lookup vendor_action OUTPUT action
LOOKUP-11_look_up_extract = isc_bind_reply_code_lookup response_code OUTPUT reply_code

transforms.conf

[isc_bind_query_extract_field_0]
REGEX = (?:\s+queries:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5})(?:\s+([^)]+))?:(?:\s+view\s+[^:]+:)?\s+query:\s+(?([\w-.:]{1,100}))?\s+([^\s]+)\s+([^\s]+)\s++-\s+(([\w-.:]{1,100}))$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 query::$4 record_class::$5 record_type::$6 flag::$7 dest::$8

[isc_bind_queryerror_extract_field_0]
REGEX = (?:\s+query-errors:)?(?:\s+([^:]+):)?\s+client\s+([\w-.:]{1,100})#(\d{1,5}):(?:\s+view\s+[^:]+:)?\s+query\s+failed\s+(([^)]+))\s+for\s+([\w-.:]{1,100})/([^/]+)/([^\s]+)\s+at\s+([^:]+):(\d+)$
FORMAT = vendor_severity::$1 src::$2 src_port::$3 response_code::$4 query::$5 record_class::$6 record_type::$7 file_name::$8 file_location::$9

[isc_bind_lameserver_extract_field_0]
REGEX = (?:\s+lame-servers:)?(?:\s+([^:]+):)?\s+(error\s+(([^)]+))\s+resolving\s+'([\w-.:]{1,100})/([^/]+)/([^']+)':\s+([\w-.:]{1,100})#(\d{1,5}))$
FORMAT = vendor_severity::$1 body::$2 error_type::$3 query::$4 record_type::$5 record_class::$6 dest::$7 dest_port::$8

[isc_bind_network_extract_field_0]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(no\s+longer\s+listening\s+on)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 ip::$3 port::$4

[isc_bind_network_extract_field_2]
REGEX = (?:\s+network:)?(?:\s+([^:]+):)?\s+(listening\s+on)\s+([^\s]+)\s+interface\s+([^,]+),\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|::)#(\d{1,5})$
FORMAT = vendor_severity::$1 vendor_action::$2 proto::$3 interface::$4 ip::$5 port::$6

[isc_bind_transfer_extract_field_0]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notifies)\s+(serial\s+([^)]+))$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 serial_number::$5

[isc_bind_transfer_extract_field_2]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(sending\s+notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6

[isc_bind_transfer_extract_field_4]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+to)\s+([\w-.:]{1,100})#(\d{1,5})(?:[^:]:)\s+(.)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 dest::$5 dest_port::$6 detail::$7

[isc_bind_transfer_extract_field_6]
REGEX = (?:\s+notify:)?(?:\s+([^:]+):)?\s+zone\s+([^/]+)/([^:/]+)(?:/[^:]+)?:\s+(notify\s+response\s+from)\s+([\w-.:]{1,100})#(\d{1,5}):\s+(.*)$
FORMAT = vendor_severity::$1 dest_zone::$2 record_class::$3 vendor_action::$4 src::$5 src_port::$6 response_code::$7

[isc_bind_severities_lookup]
filename = isc_bind_severities.csv

[isc_bind_category_lookup]
filename = isc_bind_category.csv

[isc_bind_reply_code_lookup]
filename = isc_bind_reply_code.csv

[isc_bind_action_lookup]
filename = isc_bind_action.csv

Thanks in advance

0 Karma

sumitkathpal
Explorer

Help................

0 Karma

sumitkathpal
Explorer

Help required @elliotproebstel

0 Karma
Get Updates on the Splunk Community!

Running multiple macros in the same search

Hi all!I'm trying to run multiple macros in the same search and eventually aggregate the results from each ...

Logic of Compound Subsearch with inputlookup

I'm struggling to create a search using an inputlookup and multiple NOT searches.Background: I have an ...

Tagging Heavy Forwarders

This is a tip, not a question.&nbsp;<span class="lia-unicode-emoji" ...