[syslog-ng] Need to parse named query log entries and get just the domain portion

Robert Webb rwebb at ropeguru.com
Fri Oct 27 14:56:28 UTC 2017


Thanks you for pointing me in the right direction. I was so focused on the matching starting @ "queries: info:" that I totally forgot that the first part of the actual MSG has the date and time sent with it.

My pattern now takes that into account.

Message: 27-Oct-2017 14:19:42.359 queries: info: client (sr.symcb.com): query: sr.symcb.com IN A +E (

<pattern>@ESTRING:: @@ESTRING:: @queries: info: client @IPvANY:named.client.ip@#@NUMBER:named.client.port:@ @ESTRING:named.domain.name::@ query: @HOSTNAME:named.host.name:@ @STRING:@ @STRING:named.record.type:@ @ESTRING:named.record.flags: @(@IPvANY:named.server.ip@)</pattern>


From: Evan Rempel [mailto:erempel at uvic.ca]
Sent: Friday, October 27, 2017 9:52 AM
To: Robert Webb <rwebb at ropeguru.com>
Subject: Re: [syslog-ng] Need to parse named query log entries and get just the domain portion

In the past when I have had this problem it was in the patterndb portion just outside if what you have included.

essentially the program does not match, so the rule is never attempted. This results in none of the tag-value pairs being populated. The pdbtool shows a match because the pattern is always in the correct program.

Your patterndb portion is inside of a set of a config such as

<patterndb version="4" pub_date="2009-09-01">
   <ruleset name="named" id="some-unique-value">

[ your included pattern db data ]


It is the line
that matches the parsed program name from the syslog line to allow the rule to be parsed against the
syslog message.

For testing purposes I make a destination to write a json object. That way I can see everything that populated.

template t_json { template("$(format-json --scope everything )\n"); template_escape(no); };
destination test.log { file("/var/syslog/test.log.$S_YEAR$S_MONTH$S_DAY.000000" template(t_json)); };


On 10/27/2017 05:22 AM, Robert Webb wrote:
So I have a situation where I have a syslog feed coming in that is sending named (BIND9) query logs. On the DNS servers themselves, we are doing sink hole via a local zone file and sending the dns response back as

Since there is no way for BIND9 to give me logging of the DNS query response back to the user, I need to be able to take a query log entry, parse it to get just the domain portion, and then match the domain to a list. I am trying to do all this inside syslog-ng.

I have been given some guidance to use a pattern database. I worked with this and am successfully matching my incoming query log data. Using the pdbtool, I get a full match and a list of the values I expect. But where I run into an issue after searching through all the documentation is, where can these values be used? I tried building a template against a destination, and none of the values populate. So I am stuck at this point.

I have also been told that I may have to do a custom python parser instead.

Any help or guidance is appreciated.

Here is my rule:

      <rule provider="balabit" id="b0ca071d-309e-454a-8e31-721b01ef55ee" class="system">
          <pattern>queries: info: client @IPvANY:named.client.ip@#@NUMBER:named.client.port:@ @ESTRING:named.domain.name::@ query: @HOSTNAME:named.host.name:@ @STRING:@ @STRING:named.record.type:@ @ESTRING:named.record.flags: @(@IPvANY:named.server.ip@)</pattern>
            <test_message program="named">client query: tumtali.fegade.com IN A - (</test_message>
              <test_value name="named.client.ip"></test_value>
              <test_value name="named.client.port">1890</test_value>
              <test_value name="named.domain.name">tumtali.fegade.com</test_value>
              <test_value name="named.record.type">A</test_value>
              <test_value name="named.record.flags">-</test_value>
              <test_value name="named.server.ip"></test_value>
            <test_message program="named">client query: banister.paars.tld IN A -EDC (</test_message>
              <test_value name="named.client.ip"></test_value>
              <test_value name="named.client.port">40441</test_value>
              <test_value name="named.domain.name">banister.paars.tld</test_value>
              <test_value name="named.record.type">A</test_value>
              <test_value name="named.record.flags">-EDC</test_value>
              <test_value name="named.server.ip"></test_value>
            <test_message program="named">queries: client query: maps.googleapis.com IN A + (</test_message>
              <test_value name="named.client.ip"></test_value>
              <test_value name="named.client.port">58454</test_value>
              <test_value name="named.domain.name">maps.googleapis.com</test_value>
              <test_value name="named.record.type">A</test_value>
              <test_value name="named.record.flags">+</test_value>
              <test_value name="named.server.ip"></test_value>

Here are test results:

Pattern matching part:
queries: info: client @IP:named.client.ip= @ESTRING:named.domain.name=(sr.symcb.com)@ query: @HOSTNAME:named.host.name=sr.symcb.com@ @STRING:None=IN@ @STRING:named.record.type=A@ @ESTRING:named.record.flags=+E@(@IP:named.server.ip=
Matching part:
queries: info: client (sr.symcb.com): query: sr.symcb.com IN A +E (
MESSAGE=queries: info: client (sr.symcb.com): query: sr.symcb.com IN A +E (

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171027/89c0661b/attachment.html>

More information about the syslog-ng mailing list