What is the most efficient way to parse Microsoft DNS Server debug logs into something more tidy, say into a CSV or KVP format on the nxlog agent?
Consider the following log message:
"24/02/2017 16:37:22 09B0 PACKET 0000009657E7BA40 UDP Rcv 10.0.100.15 a490 Q [0001 D NOERROR] A (7)example(3)com(0)"
First of all, what would be the most efficient way performance-wise to convert this into a CSV or KVP format?
And also, is there some other way besides using Exec and replacing parenthesis and numbers in a sed-like manner to get the clean query name? We have tried to use the Exec method before, but we were hitting some serious performance issues on busy DNS servers.
I have currently switched on to using the pm_pattern module to drop invalid log lines (the beginning of the log file and empty lines) and I was wondering if there would be some easy way to perform both of the tasks (the formatting and the cleaning) using the pm_pattern module?
An example output could look something like the following:
The empty or "-" values result from fields specified in the DNS debug log format that are not present in the above message (e.g. all possible flags would be "ATDR", and event_type is "-" because "R" marks a response but an empty value (whitespace) marks a query.
And of course, if the above even is possible, would it be too resource consuming?