[syslog-ng] [patterndb] bind9 patterns and DNS schema (was: Re: logic and duplicate suppression)

Balazs Scheidler bazsi at balabit.hu
Fri Sep 3 14:37:49 CEST 2010 

On Fri, 2010-09-03 at 13:35 +0200, Balazs Scheidler wrote:
> Hi,
> 
> On Thu, 2010-08-19 at 18:17 -0500, John Kristoff wrote:
> > On Sun, 15 Aug 2010 07:55:58 +0200
> > Balazs Scheidler <bazsi at balabit.hu> wrote:
> > 
> > > Now that I think of it, the DNS query portion is quite simple: it logs
> > > the contents of the DNS query and probably the same parameters would
> > > probably be present in all DNS server logs, thus I just have to decide
> > > the naming policy to be used on "transaction logs in general".
> > 
> > There are various types of logs a DNS server could generate depending
> > on how granular you want your parser to be.  The lame delegation logs
> > for example are reasonably different than the query log and a zone
> > transfer log message in turn would be different from each of those.
> > 
> > > I guess "smtptxn" for SMTP transaction would be a good name, right? In
> > > that way your DNS transactions (= query logs) would need to be called
> > > "dnstxn", how does that sound to you?
> > 
> > Doesn't really matter to me.  Some purists might not like referring to
> > them as transactions, but I could care less.  :-)  If you want an
> > alternative, I would suggest dnsquery.
> 
> Agreed, I don't mind dnsquery. :)
> 
> > 
> > > Also, lame delegation is not a query, right? (I'd really need to
> > 
> > Correct, but the log message is only generated as a result of a query
> > that probably didn't go so well.
> 
> I'm adding your patterns then, and create a schema for DNS related stuff
> then.
> 

And here it comes. I have added two schemas:

Schema: dnsqry
Status: experimental
Description: DNS query logs
        This schema is describing DNS query logs. Strongly bind inspired.
Attributes:
        NV pair name            Mandatory       Description
        dnsqry.client_ip        N               Source IP address of the DNS request.
        dnsqry.client_port      N               Source port
        dnsqry.view             N               DNS view
        dnsqry.query            Y               DNS query.
        dnsqry.class            Y               DNS class (IN for internet)
        dnsqry.type             Y               DNS record type to query (e.g. A, PTR, etc)
        dnsqry.flags            N               DNS Request flags.

And:

Schema: dnslame
Status: experimental
Description: DNS logs for lame delegation.
        This schema is for DNS lame logs, strongly bind inspired.
Attributes:
        NV pair name            Mandatory       Description
        dnslame.reason          N               The reason the DNS request couldn't be fulfilled.
        dnslame.zone            N               The lame zone.

These two zones describe DNS events. I've also cleaned up your patterns and added
them to dns/bind.pdb.

I'd appreciate review from both you and anyone else running DNS servers 
if I did it right.

The patterns themselves match and extract the NV pairs properly, this 
is tested by "pdbtool test".


-- 
Bazsi

More information about the syslog-ng mailing list