NXLOG capturing MS DNS Header
With the following config file I am capturing the entire MS DNS logs. This includes the DNS header info which I want to filter out. I need help figuring out what I can add that will allow me to filter out the DNS header information.
define TAP_Sender_IP XXX.XXX.XXX.XXX define TAP_Sender_Port XXX
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO
<Extension _syslog> Module xm_syslog </Extension>
<Input DNS>
Module im_file
File "C:\DNSlogs.txt"
SavePos True
<Exec>
if ($raw_event =~ /^#/) OR ($raw_event == '') drop();
else
{
to_syslog_bsd();
}
</Exec>
</Input>
<Output Tap> Module om_udp Host %TAP_Sender_IP% Port %TAP_Sender_Port% </Output>
<Route primary> Path DNS => Tap </Route>
This config removes the blank spaces between DNS entries but leaves the file header. I'm Not sure what I need to change to prevent this from capturing the DNS header information. Does anyone have any suggestions Thanks in Advance Dags
An example log may help in this situation as many may not be familiar with the MS DNS format. Source log file + how you expect it to look after?
Also if you are using NXLog EE, then you could use the xm_msdns module.
