Splunk Search

How to search Windows DNS logs for FQDN?

New Member

Splunk has our Windows DNS lookups as image(7)site(3)com. How do I search for image.site.com?

Tags (4)
0 Karma

Communicator

If you want to get a correct field in place without having to modify the existing log file at index-time the way the other answer specifies, you will want to use the following field extraction in props.conf based on the TA included with the Windows Infrastructure app on Splunkbase. You can apply this eval statement to any sourcetype if you've brought in your DNS logs some other way.

[MSAD:NT6:DNS]
EVAL-fqdn=trim(replace(src_domain,"\([0-9]+\)","."),".")

This will replace all of the numbers in parentheses with dots, then trim the dots from the beginning and end so it will match how FQDN is usually represented in other apps and threat lists for correlation.

Builder

This is the method I used to set up the DNS in splunk and it works very nicely

http://stratumsecurity.com/2012/07/03/splunk-security/

New Member

reswob4, any chance you can share the information from this site? Looks like its currently down and I am also trying to get rid of the (3) etc from my DNS logs.

0 Karma

Builder
0 Karma

New Member

Thanks - I may be missing something, but is there a way I can format the search criteria without changing how the DNS is indexed?

0 Karma

Builder

First question, to make sure we are on the same page: Are you collecting the DNS Trace Logs? If not, you won't be able to do the searches you are talking about. Searching against the logs Windows DNS records in its own eventlogs won't get you much information.

Now, if you are collecting the DNS trace logs, here's what I did:

Based on the link above, I created two field extractions:

(from my props.conf)
EXTRACT-Domain = (?i) .*? .(?P[-a-zA-Z0-9@:%_+.~#?;//=]{2,256}.[a-z]{2,6})
EXTRACT-src = (?i) Rcv (?P\d+.\d+.\d+.\d+)

These allow me to search by FQDN right in splunk.

If you want to search directly without changing how it's indexed, you may be able to leverage the regex above in the search parameters.

I suggest you create these under FIELDS --> FIELD EXTRACTIONS for whatever sourcetype is collecting your DNS Trace logs.

0 Karma