responses
With the following config file I am capturing the entire MS DNS logs. This includes the DNS header info which I want to filter out. I need help figuring out what I can add that will allow me to filter out the DNS header information.
define TAP_Sender_IP XXX.XXX.XXX.XXX
define TAP_Sender_Port XXX
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension _syslog>
Module xm_syslog
</Extension>
<Input DNS>
Module im_file
File "C:\\DNSlogs.txt"
SavePos True
<Exec>
if ($raw_event =~ /^#/) OR ($raw_event == '') drop();\
else
{
to_syslog_bsd();
}
</Exec>
</Input>
<Output Tap>
Module om_udp
Host %TAP_Sender_IP%
Port %TAP_Sender_Port%
</Output>
<Route primary>
Path DNS => Tap
</Route>
This config removes the blank spaces between DNS entries but leaves the file header. I'm Not sure what I need to change to prevent this from capturing the DNS header information.
Does anyone have any suggestions
Thanks in Advance
Dags
Comments (1)
An example log may help in this situation as many may not be familiar with the MS DNS format. Source log file + how you expect it to look after?
Also if you are using NXLog EE, then you could use the xm_msdns module.