Logstash Grok Pattern for Bind9 input using Filebeat

logstash-bind9.txt

### Logstash Grok Pattern for Bind9 input using Filebeat

%{BIND9_TIMESTAMP:timestamp}%{SPACE}%{LOGLEVEL:loglevel}:%{SPACE}client%{SPACE}%{IP:clientip}#%{POSINT:clientport}%{SPACE}\(%{DATA:query}\):%{SPACE}view%{SPACE}internal:%{SPACE}query:%{SPACE}%{DATA:query2} %{DATA:queryclass} %{DATA:querytype} %{DATA:queryflag} \(%{IP:dnsip}\)

####

grok {
  match => {
  "message" => [ "%{BIND9_TIMESTAMP:timestamp}%{SPACE}%{LOGLEVEL:loglevel}:%{SPACE}client%{SPACE}%{IP:clientip}#%{POSINT:clientport}%{SPACE}\(%{DATA:query}\):%{SPACE}view%{SPACE}internal:%{SPACE}query:%{SPACE}%{DATA:query2} %{DATA:queryclass} %{DATA:querytype} %{DATA:queryflag} \(%{IP:dnsip}\)" ]
  }
  tag_on_failure => [ "failedPattern_dns_rule1" ]
  add_field    => [ "received_at", "%{@timestamp}" ]
  add_tag => [ "dns_query" ]
  }

### Logstash Date

### 26-Mar-2019 00:08:47.105
date {
  locale => "en"
  timezone => "Asia/Kuala_Lumpur"
  match => ["timestamp", "d-MMM-yyyy HH:mm:ss.SSS", "dd-MMM-yyyy HH:mm:ss.SSS"]
  remove_field => ["timestamp"]
    }