Need Flexconnector Help - BIND named Logging

Hi,

I have been tasked with offering some options for logging our internal DNS traffic.

Our DNS is hosted on BIND with logs currently being output to logfiles locally on each server.

We have the option of putting a smart-connector on each, so I will probably go with a FlexConnector setup.

The logs are called named_debug.log and roll over into named_debug.log.1-99 based on filesize.

The format of the log is as follows.

20-Jan-2015 09:19:47.835 queries: client 10.2.2.1#57812: query: some.other.host.name IN A

20-Jan-2015 09:19:47.835 queries: client 10.2.2.1#50838: query: 76.11.13.10.in-addr.arpa IN PTR

20-Jan-2015 09:19:47.836 queries: client 10.2.2.1#61921: query: some.host.name IN A

20-Jan-2015 09:19:47.836 queries: client 10.2.2.1#63761: query: ctldl.windowsupdate.com IN A

I tried writing a basic properties file (see at bottom), however it looks like it is not picking up the delimiter (Which is a space).

I get this error in the log file, leading me to believe its not splitting the string properly.

[2015-01-20 14:45:47,531][FATAL][default.com.arcsight.agent.parsers.l][constructAlertFromValues]

com.arcsight.agent.parsers.operation.WrongArgumentsException: Unable to create time stamp with Date Tue Jan 20 00:00:00 EST 2015 and time null

  at com.arcsight.agent.parsers.operation.createTimeStampOperation.getResult(createTimeStampOperation.java:80)

  at com.arcsight.agent.parsers.k$d_.a(k$d_.java:1395)

  at com.arcsight.agent.parsers.k.a(k.java:763)

  at com.arcsight.agent.parsers.k.a(k.java:640)

  at com.arcsight.agent.sdk.d.u.a(u.java:405)

  at com.arcsight.agent.sdk.d.u.a(u.java:313)

  at com.arcsight.agent.sdk.d.u.a(u.java:266)

  at com.arcsight.agent.parsers.j.b(j.java:549)

  at com.arcsight.agent.sdk.d.u.b(u.java:1196)

  at com.arcsight.agent.sdk.c.g.f.b(f.java:290)

  at com.arcsight.agent.baseagents.h.c.run(c.java:857)

  at java.lang.Thread.run(Thread.java:680)

Properties look like this:

regex=(.*)

comments.start.with=#

delimiter=\s

token.count=10

token[0].name=Date_of_the_event

token[0].type=Date

token[0].format=dd-MMM-yyyy

token[1].name=Time_of_the_event

token[1].type=Time

token[1].format=HH:mm:ss.SSS

token[2].name=Action_Type

token[2].type=String

token[3].name=Client_Type

token[3].type=String

token[4].name=Client_Source

token[4].type=String

token[5].name=Client_Action

token[5].type=String

token[6].name=Destination_Address

token[6].type=String

token[7].name=Destination_In_Out

token[7].type=String

token[8].name=Destination_Type

token[8].type=String

token[9].name=Destination_Ext

token[9].type=String

event.deviceReceiptTime=__createTimeStamp(Date_of_the_event,Time_of_the_event)

event.sourceAddress=__regexToken(Client_Source,"(.*)#.*")

event.sourcePort=__regexToken(Client_Source,".*#(.*):")

event.deviceSeverity="Info"

event.categoryObject=__stringConstant("/Network/DNS")

event.categoryDeviceGroup=__stringConstant("/DNS")

event.requestMethod=Client_Action

event.destinationDnsDomain=Destination_Address

event.deviceProduct=__stringConstant("BIND DNS")

event.deviceCustomString1=Destination_Type

event.deviceCustomString1Label=__stringConstant("Pointer Type")

event.deviceCustomString1=Destination_Ext

event.deviceCustomString1Label=__stringConstant("Pointer Ext")

Parents Reply Children
No Data