Getting Data In

Why is domain name wrong for MSAD:NT6:DNS?

janroc
Explorer

Hi all,

We have enable windows DNS debug on our AD servers, but get in wrong domain names.
I have tried on our SH two diffrent prop.conf but still wrong domain names. 

[MSAD:NT6:DNS]
EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".")

[MSAD:NT6:DNS]
EVAL-src_domain_punct = trim(replace(src_domain, "\(\d+\)", "."),".")

Example of domain name:
(6)mobile(6)events(4)data(9)microsoft(3)com(0)
(5)teams(6)events(4)data(9)microsoft(3)com(0)
(4)pool(3)ntp(3)org(0)

Can you help advise on how to remove ( ) from the FQDN ?

Thank you in advance

Labels (1)
0 Karma

janroc
Explorer

We have no own props.conf right now, that what I need suggestions for.
The only props.conf with that sourcetype is from Splunk_TA_windows app at Splunkbase.

[MSAD:NT6:DNS]
KV_MODE = none
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)
EXTRACT-protocol = (?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+
EXTRACT-opcode = (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]
EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*)
EXTRACT-question2 = \] (?<questionname>[^\s]*)$
FIELDALIAS-query = questionname AS query
FIELDALIAS-reply_code = response AS reply_code
FIELDALIAS-transaction_id = packetid AS transaction_id
FIELDALIAS-transport = protocol AS transport
FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
REPORT_KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_RecvdIP,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class
LOOKUP-dns_action_lookup = dns_action_lookup vendor_dns_action OUTPUT action
LOOKUP-dns_vendor_lookup = dns_vendor_lookup sourcetype OUTPUT vendor,product,app
LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class

0 Karma

isoutamo
SplunkTrust
SplunkTrust

src_domain hasn't defined on those props.conf but there seems to be couple of transforms defined. Can you also add those inside </> block, so we can be ensure that those are exactly what you have on your side!

Needed transforms (at least): 

  • Answer_multi_value
  • KV_for_port
  • KV_for_Domain
  • KV_for_microsoftdns_action
  • KV_for_Record_type
  • KV_for_Record_Class
  • KV_for_Answer_Section_Count
  • KV_for_Update_Section_Count
  • KV_for_RecvdIP

What is your splunk version and also those TA versions? Are you running it on linux or in windows? 

You have posted two props.conf definition for MSAD:NT7:DNS which one is on use? You could check it with btools.

0 Karma

janroc
Explorer

I hade version 7.0.0 on the SH and upgraded to 8.7.0 but it didn't change anything for my problem.
I tried two props.conf but was not using any of them.

But I found an new props.conf on the community and now the query field is working, so I guess we can use this field.

[MSAD:NT6:DNS]
SEDCMD-win_dns-first = s/\(\d+\)/./g
SEDCMD-win_dns-second = s/\s\.(.*)\.$/ \1/g

Thank you.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

are you sure that src_domain field contains that DNS domain with (\d)?

This seems to work, so my guess is that that field didn't contain it or it has defined after that eval (see ASCII order)?

| makeresults 
| eval _raw="(6)mobile(6)events(4)data(9)microsoft(3)com(0)
(5)teams(6)events(4)data(9)microsoft(3)com(0)
(4)pool(3)ntp(3)org(0)" 
| multikv noheader=t
| table _raw
``` Above generate test data ```
| eval fqdn=trim(replace(_raw,"\([0-9]+\)","."),".")

Ensure that src_domain EVAL/EXTRACTION etc. has done before you try to do that EVAL-fqdn.

See the execution order  for props + transforms https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

and remember that those EVAL etc. has executed by ASCII order not the order how they exists in conf files!

r. Ismo

0 Karma

janroc
Explorer

Hi,

Thank for your answer.

Yes I am 100% sure that the src_domain field contains that DNS domain with (\d)
Can you recommend an working props.conf at search time?

janroc_0-1685535013240.png

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you share your props.conf for this sourcetype (also if there is some source:: or host::) definition and transforms.conf if you are using those? Please insert those inside </> block for reading easier. 

0 Karma

janroc
Explorer

I have no selfmade props.conf on SH only Splunk_TA_windows app from splunkbase.

[MSAD:NT6:DNS]
KV_MODE = none
LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
# Load balancing on UF
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-singleLine = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)\s+(?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+(?<xid>[0-9A-Fa-f]+)\s+(?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]\s+(?:QTYPE\s+)?(?<questiontype>\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?<questionname>[^\n]*)\(0\)
EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?<ANSWER_OR_UPDATE_SECTION>.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION)
EVAL-query = replace(questionname,"(?:\(\d+\))",".")
FIELDALIAS-record_type = questiontype AS record_type
FIELDALIAS-query = questionname AS query
FIELDALIAS-src=src_ip AS src
FIELDALIAS-dest = host AS dest
FIELDALIAS-transaction_id = packetid AS transaction_id
FIELDALIAS-transport = protocol AS transport
FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
EVAL-message_type = if(operation=="R","Response", "Query")
EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype
EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]",""))
EVAL-vendor_product = "Microsoft Windows"
REPORT-Multi_answer = Answer_multi_value
REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count
LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type
LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id
LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...