Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is domain name wrong for MSAD:NT6:DNS?

janroc
Explorer
‎05-31-2023 12:52 AM

Hi all,

We have enable windows DNS debug on our AD servers, but get in wrong domain names.
I have tried on our SH two diffrent prop.conf but still wrong domain names. 

[MSAD:NT6:DNS]
EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".")

[MSAD:NT6:DNS]
EVAL-src_domain_punct = trim(replace(src_domain, "\(\d+\)", "."),".")

Example of domain name:
(6)mobile(6)events(4)data(9)microsoft(3)com(0)
(5)teams(6)events(4)data(9)microsoft(3)com(0)
(4)pool(3)ntp(3)org(0)

Can you help advise on how to remove ( ) from the FQDN ?

Thank you in advance

Labels (1)
Labels
0 Karma
Reply

janroc
Explorer
‎05-31-2023 05:43 AM

We have no own props.conf right now, that what I need suggestions for.
The only props.conf with that sourcetype is from Splunk_TA_windows app at Splunkbase.

[MSAD:NT6:DNS]
KV_MODE = none
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)
EXTRACT-protocol = (?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+
EXTRACT-opcode = (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]
EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*)
EXTRACT-question2 = \] (?<questionname>[^\s]*)$
FIELDALIAS-query = questionname AS query
FIELDALIAS-reply_code = response AS reply_code
FIELDALIAS-transaction_id = packetid AS transaction_id
FIELDALIAS-transport = protocol AS transport
FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
REPORT_KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_RecvdIP,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class
LOOKUP-dns_action_lookup = dns_action_lookup vendor_dns_action OUTPUT action
LOOKUP-dns_vendor_lookup = dns_vendor_lookup sourcetype OUTPUT vendor,product,app
LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-31-2023 06:14 AM

src_domain hasn't defined on those props.conf but there seems to be couple of transforms defined. Can you also add those inside </> block, so we can be ensure that those are exactly what you have on your side!

Needed transforms (at least): 

  • Answer_multi_value
  • KV_for_port
  • KV_for_Domain
  • KV_for_microsoftdns_action
  • KV_for_Record_type
  • KV_for_Record_Class
  • KV_for_Answer_Section_Count
  • KV_for_Update_Section_Count
  • KV_for_RecvdIP

What is your splunk version and also those TA versions? Are you running it on linux or in windows? 

You have posted two props.conf definition for MSAD:NT7:DNS which one is on use? You could check it with btools.

0 Karma
Reply

janroc
Explorer
‎05-31-2023 06:19 AM

I hade version 7.0.0 on the SH and upgraded to 8.7.0 but it didn't change anything for my problem.
I tried two props.conf but was not using any of them.

But I found an new props.conf on the community and now the query field is working, so I guess we can use this field.

[MSAD:NT6:DNS]
SEDCMD-win_dns-first = s/\(\d+\)/./g
SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g

Thank you.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-31-2023 04:47 AM

Hi

are you sure that src_domain field contains that DNS domain with (\d)?

This seems to work, so my guess is that that field didn't contain it or it has defined after that eval (see ASCII order)?

| makeresults 
| eval _raw="(6)mobile(6)events(4)data(9)microsoft(3)com(0)
(5)teams(6)events(4)data(9)microsoft(3)com(0)
(4)pool(3)ntp(3)org(0)" 
| multikv noheader=t
| table _raw
``` Above generate test data ```
| eval fqdn=trim(replace(_raw,"\([0-9]+\)","."),".")

Ensure that src_domain EVAL/EXTRACTION etc. has done before you try to do that EVAL-fqdn.

See the execution order  for props + transforms https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

and remember that those EVAL etc. has executed by ASCII order not the order how they exists in conf files!

r. Ismo

0 Karma
Reply

janroc
Explorer
‎05-31-2023 05:10 AM

Hi,

Thank for your answer.

Yes I am 100% sure that the src_domain field contains that DNS domain with (\d)
Can you recommend an working props.conf at search time?

janroc_0-1685535013240.png

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-31-2023 05:16 AM

Can you share your props.conf for this sourcetype (also if there is some source:: or host::) definition and transforms.conf if you are using those? Please insert those inside </> block for reading easier. 

0 Karma
Reply

janroc
Explorer
‎05-31-2023 05:57 AM

I have no selfmade props.conf on SH only Splunk_TA_windows app from splunkbase.

[MSAD:NT6:DNS]
KV_MODE = none
LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-singleLine = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)\s+(?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+(?<xid>[0-9A-Fa-f]+)\s+(?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]\s+(?:QTYPE\s+)?(?<questiontype>\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?<questionname>[^\n]*)\(0\)
EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?<ANSWER_OR_UPDATE_SECTION>.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION)
EVAL-query = replace(questionname,"(?:\(\d+\))",".")
FIELDALIAS-record_type = questiontype AS record_type
FIELDALIAS-query = questionname AS query
FIELDALIAS-src=src_ip AS src
FIELDALIAS-dest = host AS dest
FIELDALIAS-transaction_id = packetid AS transaction_id
FIELDALIAS-transport = protocol AS transport
FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
EVAL-message_type = if(operation=="R","Response", "Query")
EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype
EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]",""))
EVAL-vendor_product = "Microsoft Windows"
REPORT-Multi_answer = Answer_multi_value
REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count
LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type
LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id
LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...