Bro DNS log:¶

I think this will work for most bro logs, but dns is the only one I’ve tried. Obviously the columns would have to change for each log type.

Now that the basics are working, I can try the mutate stuff again.

filter {
  if([fields][log_type] == "brodns") {
    if([message] =~ /^#/) {
      drop { }
    }
    csv {
        columns => ["ts","uid","id.orig_h","id.orig_p","id.resp_h","id.resp_p","proto","trans_id","rtt","query","qclass","qclass_name","qtype","qtype_name","rcode","rcode_name","AA","TC","RD","RA","Z","answers","TTLs","rejected"]
        separator => "  "
    }
    date {
      match => ["ts", "UNIX"]
    }
#    mutate {
#      rename =>  [ "id.orig_h", "id_orig_host" ]
#      rename =>  [ "id.orig_p", "id_orig_port" ]
#      rename =>  [ "id.resp_h", "id_resp_host" ]
#      rename =>  [ "id.resp_p", "id_resp_port" ]
#    }
  }
}

Bro DNS log:¶

notes

Navigation

Related Topics