Hi,

After upgrading our Infoblox solution to release 8.4.x a new hexadecimal field is introduced in the DNS syslog messages.
We were told by Infoblox support that there has been a change in behavior with the new BIND DNS which is Work as per Design.
This obviously had an impact on our datamodels in Enterprise Security.

Sample event

Jun 13 13:45:40 11.11.11.11 named[1234]: client @0x7f9df0e8b720 11.11.111.11#12345 (helloworld.com): query: helloworld.com IN AAAA +E(0) (11.11.11.1)

Does anyone know if Splunk plan to upgrade this TA?

We don't log responses so I couldn't dig into those events but I managed to solve it for requests, thought I might aswell share it here if anyone end up in the same situation 🙂

default/transforms.conf

[dns_request]
REGEX = client\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

local/transforms.conf

[dns_request]
REGEX = client(.*[^\s]*\s)(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?\d+).*\s(?query):\s(?\S+)\s(?\w+)\s(?\w+)\s(?(?:\+|\-)\S*)\s\((?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)