我需要为bind9 DNS日志编写一个grok滤镜。样本日志如下:
17-Feb-2018 23:06:56.326 queries: info: client @0x563d72c3ea20 172.26.0.1#34564 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)
我在GrokConstructor上验证了以下模式,它成功匹配了上面的日志:
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logdate} queries: info: client @0x.{16} %{IP:source_ip}#(?<source_port>[0-9]+) (%{HOSTNAME:query}): query: .*$" }
}
date {
match => ["logdate", "dd-MMM-yyyy HH:mm:ss.SSS"]
}
}
然而,在kibana上,我的日志用 _grokparsefailure标记并且未解析。
正如@baudsp所建议的那样,您需要为bind9 log创建自定义模式。为此,您首先需要知道每个字段的实际含义,
查询日志条目首先在 @0x报告客户端对象标识符 格式。接下来,它报告客户端的IP地址和端口号,以及 查询名称,类和类型。接下来,它报告了递归是否 设置了所需的标志(如果设置 ,如果未设置(,如果查询已签名 (s(,EDN与EDNS版本号(E(e(#((一起使用,如果 使用TCP(t(,如果设置(DNSSEC确定((D(,则使用CD(检查 设置了禁用((C(,如果收到有效的DNS服务器cookie(v(, 或者是否存在没有有效服务器cookie的DNS cookie选项 (k(。此后,目的地地址将查询发送到IS 报告。注意:这反映了BIND 9.11.0行为。
因此,对于您的bind9查询日志,
17-Feb-2018 23:06:56.326 queries: info: client @0x563d72c3ea20 172.26.0.1#34564 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)
模式将是
%{MONTHDAY:day}[-]%{MONTH}[-]%{YEAR}s*%{TIME}s*%{WORD:queries}[:]s*%{WORD:info}[:]s*%{WORD:client}s*%{DATA:client_data}s*%{IP:client_ip}[#]%{NUMBER:client_port}s*(%{HOSTNAME})[:]s*query:s*%{HOSTNAME:query_value}s*%{WORD}s*%{WORD:record_type}s*%{NOTSPACE:misc}s*(%{IP:destination})
这将产生以下输出,
{
"day": [
[
"27"
]
],
"MONTH": [
[
"Feb"
]
],
"YEAR": [
[
"2018"
]
],
"TIME": [
[
"23:06:56.326"
]
],
"HOUR": [
[
"23"
]
],
"MINUTE": [
[
"06"
]
],
"SECOND": [
[
"56.326"
]
],
"queries": [
[
"queries"
]
],
"info": [
[
"info"
]
],
"client": [
[
"client"
]
],
"client_data": [
[
"@0x563d72c3ea20"
]
],
"client_ip": [
[
"172.26.0.1"
]
],
"IPV6": [
[
null,
null
]
],
"IPV4": [
[
"172.26.0.1",
"172.26.0.3"
]
],
"client_port": [
[
"34564"
]
],
"BASE10NUM": [
[
"34564"
]
],
"HOSTNAME": [
[
"test.example.com"
]
],
"query_value": [
[
"test.example.com"
]
],
"WORD": [
[
"IN"
]
],
"record_type": [
[
"A"
]
],
"misc": [
[
"+E(0)K"
]
],
"destination": [
[
"172.26.0.3"
]
]
}