Closed pa-jberanek closed 7 months ago
BIND 9 query log format documentation, by the way https://bind9.readthedocs.io/en/v9_16_25/logging-categories.html#:~:text=has%20been%20specified.-,The%20query%20log%20entry,-first%20reports%20a
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
Thank you, I have now verified this fix. 👍
Just started testing the Infoblox NIOS integration as a replacement for a Logstash pipeline we currently use instead.
It's generally looking good, but I discovered what looks like an issue me - when parsing DNS query logs, the integration seems to be setting client.domain to the DNS question, and not anything to do with the client.
For example, parsing this log section:
Leads to:
I was looking at this, as I was attempting to implement a "processor" for this integration, in order to detect the client IP, and apply a 'dns' processor to it, so we could do reverse lookups on the IPs, before the data is sent to Elastic Cloud, where private IPs cannot be turned into hostnames. (See #2532 )