Parser Example
Parser Example - BIND9 DNS
Parser Example - BIND9 DNS
Overview
Parser xử lý các loại log từ BIND9 DNS Server:
- Query Logs: DNS queries từ clients
- Response Logs: DNS responses với answer data
- Notify Logs: Zone transfer notifications
- Security Logs: DNSSEC và security-related events
Sample Logs
1. DNS Query Log
{"@timestamp":"2026-03-17T10:30:15.123Z","message":"17-Mar-2026 10:30:15.123 queries: info: client @0x7f1234567890 192.168.1.100#52341 (example.com): query: example.com IN A +E(0)K (10.0.0.1)","timestamp":"2026-03-17T10:30:15.123Z","host":"dns-server-01"}
2. DNS Query with Response
{"@timestamp":"2026-03-17T10:30:16.456Z","message":"17-Mar-2026 10:30:16.456 queries: info: client @0x7f1234567891 10.0.0.50#45678 (mail.example.com): query: mail.example.com IN MX +E(0)K (10.0.0.1)","timestamp":"2026-03-17T10:30:16.456Z","host":"dns-server-01"}
3. DNS Query AAAA (IPv6)
{"@timestamp":"2026-03-17T10:30:17.789Z","message":"17-Mar-2026 10:30:17.789 queries: info: client @0x7f1234567892 172.16.0.25#33456 (ipv6.example.com): query: ipv6.example.com IN AAAA +E(0)K (10.0.0.1)","timestamp":"2026-03-17T10:30:17.789Z","host":"dns-server-01"}
4. DNS Security/Denied Query
{"@timestamp":"2026-03-17T10:30:18.012Z","message":"17-Mar-2026 10:30:18.012 security: warning: client @0x7f1234567893 203.0.113.50#12345 (malware.bad.com): query (cache) 'malware.bad.com/A/IN' denied","timestamp":"2026-03-17T10:30:18.012Z","host":"dns-server-01"}
5. Zone Transfer Notify
{"@timestamp":"2026-03-17T10:30:19.345Z","message":"17-Mar-2026 10:30:19.345 notify: info: zone example.com/IN: sending notifies (serial 2026031701)","timestamp":"2026-03-17T10:30:19.345Z","host":"dns-server-01"}
Parser Configuration
#regex
#conditional
event_timestamp = .timestamp
event_module = "bind9"
network_protocol = "dns"
host_hostname = ""
source_ip = ""
source_port = ""
dns_question_name = ""
dns_question_type = ""
dns_response_code = ""
dns_answers_data = ""
event_category = ""
event_action = ""
event_outcome = ""
log_level = ""
event_message = ""
dns_server_ip = ""
zone_name = ""
zone_serial = ""
host_str = ""
if (h, err = to_string(.host); err == null) { host_str = h }
host_hostname = host_str
msg_str = ""
if (m, err = to_string(.message); err == null) { msg_str = m }
event_message = msg_str
if contains(msg_str, "queries:") {
event_category = "network"
event_action = "dns_query"
event_outcome = "success"
if (level_m, err = parse_regex(msg_str, r'queries:[ ](?P<level>\w+):'); err == null) {
log_level = level_m.level
}
if (client_m, err = parse_regex(msg_str, r'client[ ]@0x[a-f0-9]+[ ](?P<ip>[0-9.]+)#(?P<port>\d+)'); err == null) {
source_ip = client_m.ip
source_port = client_m.port
}
if (query_m, err = parse_regex(msg_str, r'query:[ ](?P<name>[^\s]+)[ ]IN[ ](?P<type>[A-Z]+)'); err == null) {
dns_question_name = query_m.name
dns_question_type = query_m.type
}
if (server_m, err = parse_regex(msg_str, r'\((?P<server>[0-9.]+)\)$'); err == null) {
dns_server_ip = server_m.server
}
dns_response_code = "NOERROR"
}
if contains(msg_str, "security:") {
event_category = "intrusion_detection"
event_action = "dns_blocked"
event_outcome = "failure"
if (level_m, err = parse_regex(msg_str, r'security:[ ](?P<level>\w+):'); err == null) {
log_level = level_m.level
}
if (client_m, err = parse_regex(msg_str, r'client[ ]@0x[a-f0-9]+[ ](?P<ip>[0-9.]+)#(?P<port>\d+)'); err == null) {
source_ip = client_m.ip
source_port = client_m.port
}
if (query_m, err = parse_regex(msg_str, r'(?P<name>[a-zA-Z0-9.-]+)/(?P<type>[A-Z]+)/IN'); err == null) {
dns_question_name = query_m.name
dns_question_type = query_m.type
}
if contains(msg_str, "denied") {
dns_response_code = "REFUSED"
}
}
if contains(msg_str, "notify:") {
event_category = "configuration"
event_action = "zone_notify"
event_outcome = "success"
if (level_m, err = parse_regex(msg_str, r'notify:[ ](?P<level>\w+):'); err == null) {
log_level = level_m.level
}
if (zone_m, err = parse_regex(msg_str, r'zone[ ](?P<zone>[^/]+)/IN:'); err == null) {
zone_name = zone_m.zone
}
if (serial_m, err = parse_regex(msg_str, r'serial[ ](?P<serial>\d+)'); err == null) {
zone_serial = serial_m.serial
}
}
if event_category == "" { event_category = "network" }
if event_action == "" { event_action = "info" }
if log_level == "" { log_level = "info" }
#normalize
timestamp: format_timestamp!(parse_timestamp!(event_timestamp, "%Y-%m-%dT%H:%M:%S.%3fZ"), "%Y-%m-%d %H:%M:%S")
event.module: event_module
event.category: event_category
event.action: event_action
event.outcome: event_outcome
log.level: log_level
message: event_message
host.hostname: host_hostname
source.ip: source_ip
source.port: source_port
network.protocol: network_protocol
dns.question.name: dns_question_name
dns.question.type: dns_question_type
dns.response_code: dns_response_code
dns.answers.data: dns_answers_data
labels: {"dns_server_ip": dns_server_ip, "zone_name": zone_name, "zone_serial": zone_serial}
Output (ECS Format)
1. DNS Query Log Output
{
"timestamp": "2026-03-17 10:30:15",
"event.module": "bind9",
"event.category": "network",
"event.action": "dns_query",
"event.outcome": "success",
"log.level": "info",
"message": "17-Mar-2026 10:30:15.123 queries: info: client @0x7f1234567890 192.168.1.100#52341 (example.com): query: example.com IN A +E(0)K (10.0.0.1)",
"host.hostname": "dns-server-01",
"source.ip": "192.168.1.100",
"source.port": "52341",
"network.protocol": "dns",
"dns.question.name": "example.com",
"dns.question.type": "A",
"dns.response_code": "NOERROR",
"labels": {
"dns_server_ip": "10.0.0.1"
}
}
2. DNS Query MX Output
{
"timestamp": "2026-03-17 10:30:16",
"event.module": "bind9",
"event.category": "network",
"event.action": "dns_query",
"event.outcome": "success",
"log.level": "info",
"message": "17-Mar-2026 10:30:16.456 queries: info: client @0x7f1234567891 10.0.0.50#45678 (mail.example.com): query: mail.example.com IN MX +E(0)K (10.0.0.1)",
"host.hostname": "dns-server-01",
"source.ip": "10.0.0.50",
"source.port": "45678",
"network.protocol": "dns",
"dns.question.name": "mail.example.com",
"dns.question.type": "MX",
"dns.response_code": "NOERROR",
"labels": {
"dns_server_ip": "10.0.0.1"
}
}
3. DNS Query AAAA Output
{
"timestamp": "2026-03-17 10:30:17",
"event.module": "bind9",
"event.category": "network",
"event.action": "dns_query",
"event.outcome": "success",
"log.level": "info",
"message": "17-Mar-2026 10:30:17.789 queries: info: client @0x7f1234567892 172.16.0.25#33456 (ipv6.example.com): query: ipv6.example.com IN AAAA +E(0)K (10.0.0.1)",
"host.hostname": "dns-server-01",
"source.ip": "172.16.0.25",
"source.port": "33456",
"network.protocol": "dns",
"dns.question.name": "ipv6.example.com",
"dns.question.type": "AAAA",
"dns.response_code": "NOERROR",
"labels": {
"dns_server_ip": "10.0.0.1"
}
}
4. DNS Security/Denied Output
{
"timestamp": "2026-03-17 10:30:18",
"event.module": "bind9",
"event.category": "intrusion_detection",
"event.action": "dns_blocked",
"event.outcome": "failure",
"log.level": "warning",
"message": "17-Mar-2026 10:30:18.012 security: warning: client @0x7f1234567893 203.0.113.50#12345 (malware.bad.com): query (cache) 'malware.bad.com/A/IN' denied",
"host.hostname": "dns-server-01",
"source.ip": "203.0.113.50",
"source.port": "12345",
"network.protocol": "dns",
"dns.question.name": "malware.bad.com",
"dns.question.type": "A",
"dns.response_code": "REFUSED"
}
5. Zone Transfer Notify Output
{
"timestamp": "2026-03-17 10:30:19",
"event.module": "bind9",
"event.category": "configuration",
"event.action": "zone_notify",
"event.outcome": "success",
"log.level": "info",
"message": "17-Mar-2026 10:30:19.345 notify: info: zone example.com/IN: sending notifies (serial 2026031701)",
"host.hostname": "dns-server-01",
"network.protocol": "dns",
"labels": {
"zone_name": "example.com",
"zone_serial": "2026031701"
}
}
Notes
VRL Functions Used
Parser sử dụng các functions được phép trong VRL Functions.md:
to_string(): Chuyển đổi giá trị sang stringparse_regex(): Extract data từ log messagecontains(): Kiểm tra log typeformat_timestamp!(): Format timestamp outputparse_timestamp!(): Parse timestamp string
Log Type Detection Logic
| Log Contains | Event Category | Event Action | Description |
|---|---|---|---|
| queries: | network | dns_query | Standard DNS query |
| security: | intrusion_detection | dns_blocked | Blocked/denied query |
| notify: | configuration | zone_notify | Zone transfer notification |
DNS Record Types Supported
| Type | Description |
|---|---|
| A | IPv4 address record |
| AAAA | IPv6 address record |
| MX | Mail exchange record |
| NS | Name server record |
| TXT | Text record |
| CNAME | Canonical name record |
| PTR | Pointer record (reverse DNS) |
| SOA | Start of authority |
DNS Response Codes
| Code | Description |
|---|---|
| NOERROR | Query successful |
| NXDOMAIN | Domain does not exist |
| REFUSED | Query refused by policy |
| SERVFAIL | Server failure |
Security Use Cases
- DNS Tunneling Detection: Monitor unusual query patterns, large TXT records
- Malware C2 Detection: Track queries to known malicious domains
- Data Exfiltration: Monitor high-volume DNS queries from single sources
- Zone Security: Track zone transfer activities and notifications
- Access Control: Monitor denied queries for policy violations