Getting Data In

How can I extract a domain name from a Windows 2008 DNS Debug Log

New Member

New to SPLUNK but so far its great!

I have a Windows 2008 DNS debug log that contains domain names. I need to define a field DOMAIN so I can extract these domain names and compare them to a watchlist of known botnet domains. Nothing new i dont think. My records look like below.

My10/24/2012 1:46:58 PM 077C PACKET 0000000003AF6580 UDP Rcv 10.41.72.18 31a0 Q [0001 D NOERROR] A .ixa-mar11.global.amec.com.

10/24/2012 1:44:00 PM 077C PACKET 0000000003A0DB50 UDP Snd 195.59.44.133 1275 Q [1000 NOERROR] A .fpdownload.macromedia.com.edgekey.net.

I am trying to use the built in SPLUNK > Extract Fields but it has a problem with the variable length domain names. I cannot generate a REGEX command to do this for me to save me. Since the domain names can be variable in lenght i just cant get it.

Any help would be tremedously appreciated.

0 Karma

Builder

The problem with the above answers is that 2008 R2+ servers log in a format like:

2/12/2013 3:33:47 PM 17D4 PACKET 0000000004236180 UDP Rcv 10.1.1.1 4666 Q [0001 D NOERROR] A (4)host(9)subdomain(7)domain(3)com(0)

So you have to extract it and take into account the (#) that counts the characters provided.

0 Karma

Champion

@BP9906, simply modify the regex statment to meet your needs. My regexes are only written to meet the samples provided.

0 Karma

Champion

I would match from the right. I've tested this with Regex Buddy with sample set you provided.


.(?P<dc_name>[^\s]+)$


start Length
Match 1: .ixa-mar11.global.amec.com. 114 28
Match 2: .fpdownload.macromedia.com.edgekey.net. 256 40

Hope this helps or gets you started.

0 Karma

Champion

@bill_dishman, Here are some variations of the regex statement. Thy all work with the samples your provided from you comment and your question. Its possible you have a char or whitespace that I am not accounting for Hope this helps.

Don't foget to thumbs up or accepts answer on the board.

Cheers.


(?ims).(?P<dc_name>[^\s]+)(?:(?:\s{0})|\s+)$
(?ims)\s.{0,1}(?P[^\s]+)(?:(?:\s{0})|\s+)$
(?ims).{0,1}(?P[^\s]+)(?:(?:\s{0})|\s+)$

0 Karma

New Member

You have been a great help.. much closer than i was and learing a few things! take care

0 Karma

New Member

I just dont see my domain field in all records in a search.

56 » 10/24/110/24/2012 2:10:51 PM 077C PACKET 0000000003592E80 UDP Rcv 10.41.72.18 df51 Q [0001 D NOERROR] A .avamericas2.global.amec.com.host=ATT1-DNS1 Options| sourcetype=WINDNS Options| source=C:\dns.log Options

57 » 10/24/12
2:01:58.000 PM 10/24/2012 2:01:58 PM 077C PACKET UDP Snd 217.19.248.20 6688 Q [1000 NOERROR] A .ixa-mar11.global.amec.com.host=ATT1-DNS1 Options| sourcetype=WINDNS Options| source=C:\dns.log Options| domain=ixa-mar11.global.amec.com. Options

0 Karma

Champion

Not sure if I understand what you mean by all of them in the dataset. If the field extractor is not highlighting all domain names in your data set then the regex should be rewritten/modified for your needs. Given your limited sample it dificult to build a regex for all possiblities.

I would recommend purchasing a product like RegEx Buddy and visiting http://www.regular-expressions.info which has great info. I still reference occationaly.

Sorry if I couldn't be of more assitance to you.

0 Karma

New Member

Thanks for the help. I am really new to this. So i went back to SPLUNK>Extract and put what you have given me into the "Generated pattern (regex)" where i can EDIT it .. and I now have this:
(?i) A .(?P[^s]+)$

fieldname = your dc_name

When i APPLY this, or TEST it, it shows me my data, and hightlights the matches , but only shows me highlighted domain names but not all of them in the data set.
Sorry i dont know much about this. First time. Do you think i am good??????? Looks good.

And. Thank you very very much

0 Karma