首页 文章

BIND9日志的Grok模式

提问于
浏览
0

我需要为 bind9 DNS日志编写一个grok过滤器 . 示例日志如下所示:

17-Feb-2018 23:06:56.326 queries: info: client @0x563d72c3ea20 172.26.0.1#34564 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)

我验证了grokconstructor上的以下模式,它成功匹配上面的日志:

filter {
    grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:logdate} queries: info: client @0x.{16} %{IP:source_ip}#(?<source_port>[0-9]+) \(%{HOSTNAME:query}\): query: .*$" }
    }
    date {
        match => ["logdate", "dd-MMM-yyyy HH:mm:ss.SSS"]
    }
}

但是在Kibana上,我的日志标记为 _grokparsefailure 并且未被解析 .

logstash logstash-grok bind9

1 回答

  • 1

    正如@baudsp建议的那样,您需要为BIND9日志创建自定义模式 . 为此,您首先需要知道每个字段的实际含义,

    查询日志条目首先报告@ 0x格式的客户端对象标识符 . 接下来,它报告客户端的IP地址和端口号,以及查询名称,类和类型 . 接下来,它报告是否设置了Recursion Desired标志(如果设置, - 如果未设置),如果查询已签名(S),则EDNS与EDNS版本号(E(#))一起使用,如果TCP是如果DO(DNSSEC Ok)设置为(D),如果设置了CD(检查已禁用)(C),如果收到有效的DNS服务器COOKIE(V),或者没有有效的DNS COOKIE选项,则使用(T)存在服务器COOKIE(K) . 在此之后,将报告查询发送到的目标地址 . 注意:这反映了BIND 9.11.0的行为 .

    所以对于你的BIND9查询日志,

    17-Feb-2018 23:06:56.326 queries: info: client @0x563d72c3ea20 172.26.0.1#34564 (test.example.com): query: test.example.com IN A +E(0)K (172.26.0.3)

    模式是,

    %{MONTHDAY:day}[-]%{MONTH}[-]%{YEAR}\s*%{TIME}\s*%{WORD:queries}[:]\s*%{WORD:info}[:]\s*%{WORD:client}\s*%{DATA:client_data}\s*%{IP:client_ip}[#]%{NUMBER:client_port}\s*\(%{HOSTNAME}\)[:]\s*query:\s*%{HOSTNAME:query_value}\s*%{WORD}\s*%{WORD:record_type}\s*%{NOTSPACE:misc}\s*\(%{IP:destination}\)

    这将产生以下输出,

    {
  "day": [
    [
      "27"
    ]
  ],
  "MONTH": [
    [
      "Feb"
    ]
  ],
  "YEAR": [
    [
      "2018"
    ]
  ],
  "TIME": [
    [
      "23:06:56.326"
    ]
  ],
  "HOUR": [
    [
      "23"
    ]
  ],
  "MINUTE": [
    [
      "06"
    ]
  ],
  "SECOND": [
    [
      "56.326"
    ]
  ],
  "queries": [
    [
      "queries"
    ]
  ],
  "info": [
    [
      "info"
    ]
  ],
  "client": [
    [
      "client"
    ]
  ],
  "client_data": [
    [
      "@0x563d72c3ea20"
    ]
  ],
  "client_ip": [
    [
      "172.26.0.1"
    ]
  ],
  "IPV6": [
    [
      null,
      null
    ]
  ],
  "IPV4": [
    [
      "172.26.0.1",
      "172.26.0.3"
    ]
  ],
  "client_port": [
    [
      "34564"
    ]
  ],
  "BASE10NUM": [
    [
      "34564"
    ]
  ],
  "HOSTNAME": [
    [
      "test.example.com"
    ]
  ],
  "query_value": [
    [
      "test.example.com"
    ]
  ],
  "WORD": [
    [
      "IN"
    ]
  ],
  "record_type": [
    [
      "A"
    ]
  ],
  "misc": [
    [
      "+E(0)K"
    ]
  ],
  "destination": [
    [
      "172.26.0.3"
    ]
  ]
}
    回复于

相关问题