AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Parse dns log5/3/2023 Using the suggested configuration at the bottom of: So I tried index=test_dns | makemv delim="/r", AnswersĪnd index=test_dns | makemv delim="/n", Answers So in my search, I tested the following: index=test_dns | makemv delim="/n/r", Answers REGEX = (?m) Name\s (?. )\W. \W. \W. \W. \W. DATAĪnd now I'm trying to build my nf so I'm testing what my regex should be using the following search. Testing regex using a site like gets me the following regex syntax that catches all instances of the fields that I want.ĭATA\s ?(. )\n = (?i) (?P\d \.\d \.\d \.\d )ĮXTRACT-Threat_ID,Context,Int_packet_ID,proto,mode,Xid,type,Opcode,Flags_Hex,char_code,ResponseCode,question_type =. The Question field should have three values: The Answer field should have the following values: 108.177.98.104 I have regex that will parse the first line no problem, but everything after that is a PIA.įrom the Answer section, tokenized, each name in one field and each data in another field. Any idea how to parse the full Windows DNS Trace Log events?
0 Comments
Read More
Leave a Reply. |