Skip to content

Instantly share code, notes, and snippets.

@markwalkom

markwalkom/gist:3766250c5f6b6206bafcc6c23562b3fc

Created May 4, 2016 08:39
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save markwalkom/3766250c5f6b6206bafcc6c23562b3fc to your computer and use it in GitHub Desktop.
Save markwalkom/3766250c5f6b6206bafcc6c23562b3fc to your computer and use it in GitHub Desktop.
Download ZIP
Logstash Grok Pattern for Windows DNS Log files - via https://discuss.elastic.co/t/windows-dns-incompatible-character-encodings/48961/5
Raw
gistfile1.txt
WINDNS %{NUMBER:log_date} %{TIME:log_time} %{WORD:dns_thread_id} %{WORD:dns_context}%{SPACE}%{WORD:dns_packet_id} %{WORD:dns_ip_protocol} %{WORD:dns_direction} %{IP:dns_client_address}%{SPACE}%{WORD:dns_xid}%{SPACE}(?:Q|R|U) ?(Q|R|U)?%{SPACE}[%{GREEDYDATA:dns_hex_flags}%{SPACE}%{WORD:dns_response}]%{SPACE}%{WORD:dns_recordtype}%{SPACE}([1-9][0-9]?)%{GREEDYDATA:dns_query_name}
@MefhigosetH
Copy link

Thanks. I modify your Grok to use in New Relic Log Parsing:

%{DATE_EU:log_date} %{TIME:log_time} %{WORD:dns_thread_id} %{WORD:dns_context}%{SPACE}%{WORD:dns_packet_id} %{WORD:dns_ip_protocol} %{WORD:dns_direction} %{IP:dns_client_address}%{SPACE}%{WORD:dns_xid}%{SPACE}(?:Q|R|U) ?(Q|R|U)?%{SPACE}\[%{GREEDYDATA:dns_hex_flags}%{SPACE}%{WORD:dns_response}\]%{SPACE}%{WORD:dns_recordtype}%{SPACE}%{GREEDYDATA:dns_query_name}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment