All Apps and Add-ons

How to configure inputs.conf for the Splunk Add-on for ISC BIND?

newmanjn
New Member

The way we do our logging is to a centralized syslog server, using the remote syslog protocol. All our Cisco gear is configured to log to this server, all Linux/Unix boxes have a *.* @syslog-server line in their syslog config. Even the Windows machines have an app which exports events into a stream of syslog messages that go here. There is very little granularity on the syslog server itself. Basically all incoming messages gets dumped into a single file (a huge file, rotated daily, stored on a netapp).

This huge log file is mounted on the Splunk server as the main input source. We have a couple other sources, but mainly it is just this one file with log data from all sorts of disparate sources (including the BIND/named logging from all our name servers..)

I am currently trying to get the Splunk Add-on for ISC Bind working using this architecture. The instructions say to do the following:

From http://docs.splunk.com/Documentation/AddOns/latest/ISCBIND/Configureinputs


Configure inputs.conf
You can create an inputs.conf file and configure the monitor inputs in this file instead of using Splunk Web.
1. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_isc-bind/local folder.
2. Add the following stanzas and lines, and save the file:

[monitor:///var/log/named/queries.log]
sourcetype = isc:bind:query
disabled = 0
[monitor:///var/log/named/query-errors.log]
sourcetype = isc:bind:queryerror
disabled = 0
[monitor:///var/log/named/network.log]
sourcetype = isc:bind:network
disabled = 0
[monitor:///var/log/named/notify.log]
sourcetype = isc:bind:transfer
disabled = 0
[monitor:///var/log/lame-servers.log]
sourcetype = isc:bind:lameserver
disabled = 0

This obviously will not work for me... I have sample regular expressions for each of these sourcetypes that needs to be set. My question is: What is the best/correct way to do this? Edit the system/local/transforms.conf with a stanza for each of the isc:bind:XXX sourcetypes... but what would that look like? Do I use DEST_KEY = isc:bind:XXXX, something like:

[iscBindQuery]
DEST_KEY = isc:bind:query
REGEX = query:\s+\(?([\w\-\.:]{1,100})\)?\s+([^\s]+)\s+([^\s]+)\s+[\+\-]([^\s]*)\s+\(([\w\-\.:]{1,100})\)/)

... and so on, with another stanza using DEST_KEY to set the various isc:bind:XXX types... Will that work for setting a "sourcetype" ? Or should I use SOURCE_KEY = isc:bind:XXXX in these stanzas...

Or is there another approach here that I am missing?

Thanks so much for any insight!

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

hey -- scenario 4 here: http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/

It's not ideal for performance or maintainability because you're now going to be evaluating everything more heavily than necessary, but if you have to go this way, it can work.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!