Solved: Re: Splunk Add-on for ISC BIND: Has anyone else ru...

jwalzerpitt · ‎07-20-2016

Has anyone else ran into issues with a different logging format? When I look at my DNS logs, they don't match up with the regex expressions in transforms.conf

We're running BlueCat which has Bind version 9.9.5

Thx

jwalzerpitt · ‎08-11-2016

The issue is that BlueCat is using CEF format for the DNS logs and not the native BIND ISC format. To generate native BIND ISC format, query logging needs to be enabled and then the logs exported to Splunk.

View solution in original post

jwalzerpitt · ‎08-11-2016

The issue is that BlueCat is using CEF format for the DNS logs and not the native BIND ISC format. To generate native BIND ISC format, query logging needs to be enabled and then the logs exported to Splunk.

michael_sleep · ‎07-22-2016

If you provide more information like an example of the data and the regex you're using you will likely get an answer

jwalzerpitt · ‎08-11-2016

The issue is that BlueCat is using CEF format for the DNS logs and not the native BIND ISC format. To generate native BIND ISC format, query logging needs to be enabled and then the logs exported to Splunk.

Splunk Add-on for ISC BIND: Has anyone else run into issues with logging format and regex in transforms.conf?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio