On Fri, 2010-09-03 at 13:35 +0200, Balazs Scheidler wrote:
Hi,
On Thu, 2010-08-19 at 18:17 -0500, John Kristoff wrote:
On Sun, 15 Aug 2010 07:55:58 +0200 Balazs Scheidler <bazsi@balabit.hu> wrote:
Now that I think of it, the DNS query portion is quite simple: it logs the contents of the DNS query and probably the same parameters would probably be present in all DNS server logs, thus I just have to decide the naming policy to be used on "transaction logs in general".
There are various types of logs a DNS server could generate depending on how granular you want your parser to be. The lame delegation logs for example are reasonably different than the query log and a zone transfer log message in turn would be different from each of those.
I guess "smtptxn" for SMTP transaction would be a good name, right? In that way your DNS transactions (= query logs) would need to be called "dnstxn", how does that sound to you?
Doesn't really matter to me. Some purists might not like referring to them as transactions, but I could care less. :-) If you want an alternative, I would suggest dnsquery.
Agreed, I don't mind dnsquery. :)
Also, lame delegation is not a query, right? (I'd really need to
Correct, but the log message is only generated as a result of a query that probably didn't go so well.
I'm adding your patterns then, and create a schema for DNS related stuff then.
And here it comes. I have added two schemas: Schema: dnsqry Status: experimental Description: DNS query logs This schema is describing DNS query logs. Strongly bind inspired. Attributes: NV pair name Mandatory Description dnsqry.client_ip N Source IP address of the DNS request. dnsqry.client_port N Source port dnsqry.view N DNS view dnsqry.query Y DNS query. dnsqry.class Y DNS class (IN for internet) dnsqry.type Y DNS record type to query (e.g. A, PTR, etc) dnsqry.flags N DNS Request flags. And: Schema: dnslame Status: experimental Description: DNS logs for lame delegation. This schema is for DNS lame logs, strongly bind inspired. Attributes: NV pair name Mandatory Description dnslame.reason N The reason the DNS request couldn't be fulfilled. dnslame.zone N The lame zone. These two zones describe DNS events. I've also cleaned up your patterns and added them to dns/bind.pdb. I'd appreciate review from both you and anyone else running DNS servers if I did it right. The patterns themselves match and extract the NV pairs properly, this is tested by "pdbtool test". -- Bazsi