dmachard
commented
9 months ago Can you share a example ?
Closed peterand-pa closed 9 months ago
dmachard
commented
9 months ago Can you share a example ?
peterand-pa
commented
9 months ago Actually , for us peername would be better. So generally speaking , any logging should reflect the source of the dnstap message ( the connection peer ) because that is usually the DNS server. Having the DNS server - not the dnscollector server - as the source host in the centralised splunk logs is very important. ( we plan to have 14 DNS appliances sending dnstap to one central location with about 40K queries per second ) Similiar to my other request #588 .
In ./collectors/dnstap.go , there's a line peer := conn.RemoteAddr().String() . I'd also add a gethostbyname to get the hostname of the peer . Unfortunately , I don't know enough about dnscollector's data structures and how that info would get accessed in a logger .
So, because it'd have to cater for multiple peer connections , I'd suggest it gets added to the dnstap message structure ( dm )
Then by making those text-format directives available, loggers could use that data in the text-format . eg text-format: "timestamp-rfc3339ns peername operation rcode queryip queryport family protocol length qname qtype latency"
dmachard
commented
9 months ago It will be implemented for next release.
Is your feature request related to a problem? Please describe. I need to be able to log the source of the dnstap message
Describe the solution you'd like A new text-format directive
Describe alternatives you've considered Overriding dnstap identity string
Additional context None