2
responses

With the following config file I am capturing the entire MS DNS logs. This includes the DNS header info which I want to filter out. I need help figuring out what I can add that will allow me to filter out the DNS header information.

define TAP_Sender_IP XXX.XXX.XXX.XXX
define TAP_Sender_Port XXX

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension _syslog>
Module xm_syslog
</Extension>

<Input DNS>
Module im_file
File "C:\\DNSlogs.txt"
SavePos True
<Exec>
if ($raw_event =~ /^#/) OR ($raw_event == '') drop();\
else
{
to_syslog_bsd();
}
</Exec>
</Input>

<Output Tap>
Module om_udp
Host %TAP_Sender_IP%
Port %TAP_Sender_Port%
</Output>

<Route primary>
Path DNS => Tap
</Route>

This config removes the blank spaces between DNS entries but leaves the file header. I'm Not sure what I need to change to prevent this from capturing the DNS header information.
Does anyone have any suggestions
Thanks in Advance
Dags

AskedJanuary 17, 2019 - 6:00pm

Comments (1)

  • Zhengshi's picture
    (NXLog)

    An example log may help in this situation as many may not be familiar with the MS DNS format. Source log file + how you expect it to look after?

    Also if you are using NXLog EE, then you could use the xm_msdns module.

Answer (1)