cscli parsers install mstilkerich/bind9-logsThis bind9 parser supports logs in separate bind9 log files as well as syslog
entries. When logging to separate bind9 log files directly with bind9, the
print-time setting should be enabled, otherwise no timestamp will be
available.
This parser currently detects the following security events of bind9:
To configure data acquisition from a bind9 log file, set the type to named:
---
filenames:
- /var/log/named/security.log
labels:
type: namedInspired by fail2ban named-refused.
1---2filter: "Upper(evt.Parsed.program) == 'NAMED'"3#debug: true4onsuccess: next_stage5pattern_syntax:6 BIND9_TIMESTAMP_DATE: '%{MONTHDAY:ts_d}-%{MONTH:ts_m}-%{YEAR:ts_y}'7 BIND9_TIMESTAMP_TIMEMS: '\d{3}'8 BIND9_TIMESTAMP_TIME: '%{TIME:ts_t}\.%{BIND9_TIMESTAMP_TIMEMS:ts_ms}'9 BIND9_TIMESTAMP: '%{BIND9_TIMESTAMP_DATE} %{BIND9_TIMESTAMP_TIME}'10 # categories: security, client, update-security, etc.11 BIND9_CATEGORY: '[a-z]+'12 BIND9_SEVERITY: '[a-z]+'13 BIND9_PREFIX: '^(%{BIND9_TIMESTAMP:timestamp} )?(%{BIND9_CATEGORY}: )?(%{BIND9_SEVERITY}: )?client (@0x[0-9a-fA-F]+ )?%{IP:remote_addr}#%{POSINT:remote_port}.*: '14name: mstilkerich/bind915description: "Parse bind9 logs"16nodes:17 # When multiple grok patterns are specified, only the first matching one is applied18 - grok:19 pattern: '^%{BIND9_PREFIX}zone transfer .* (?:denied|\(NOTAUTH\))\s*$'20 apply_on: message21 - grok:22 pattern: '^%{BIND9_PREFIX}bad zone transfer request: ''\S+/IN'': non-authoritative zone (?:denied|\(NOTAUTH\))\s*$'23 apply_on: message24 - grok:25 pattern: '^%{BIND9_PREFIX}(?:view (?:internal|external): )?query(?: \(cache\))? .* (?:denied|\(NOTAUTH\)).*$'26 apply_on: message27statics:28 - meta: service29 value: bind930 - meta: log_type31 value: bind9_denied32 - meta: source_ip33 expression: "evt.Parsed.remote_addr"34 - target: evt.StrTime # convert time format for dateparse-enrich35 expression: "36 {Jan:'01',Feb:'02',Mar:'03',Apr:'04',May:'05',Jun:'06',Jul:'07',Aug:'08',Sep:'09',Oct:'10',Nov:'11',Dec:'12'}[evt.Parsed.ts_m]37 + '/' + evt.Parsed.ts_d38 + '/' + evt.Parsed.ts_y39 + ' ' + evt.Parsed.ts_t"40