The tags beginning with dns.bluecat identify events generated by the Bluecat Domain Name System (DNS).
...
This tag must have three levels. The first two are fixed as dns.bluecat. The third level identifies the type of events sent.
Technology | Brand | Type |
|---|---|---|
dns | bluecat | named |
...
Tag | Data table |
|---|---|
| dns.bluecat.named | dns.bluecat.named |
How is the data sent to Devo?
You can forward logs generated by Bluecat using any Syslog drain (for example, Syslog-ng). Learn more about how to send Bluecat logs and their structure here.
Log samples
The following are sample logs sent to each of the dns.bluecat data tables. In addition, find how the information will be parsed in your data table under the sample log.
| Note | ||
|---|---|---|
| ||
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
dns.bluecat.named
| Code Block |
|---|
2020-11-17 18:22:02.272 usmdnsp1abdds02=165.225.50.94 dns.bluecat.named: client @0x7f1af810c0b0 10.232.19.43#64852 (12.in-addr.arpa.mtl.pepito.com): view Internal: query: 12.in-addr.arpa.mtl.pepito.com IN PTR +E(0)D (10.234.164.22) 2018-04-23 13:51:59.025 localhost=127.0.0.1 dns.bluecat.named.cef: 0|BCN|BDDS_DNS|8.1.1|DNS_Query|DNS query|1|cat=A_record src=10.194.101.141 cs1=ssl.gstatic.com cs1Label=query |
...
| Field | Value | Type | Field transformation | Source field name |
|---|---|---|---|---|
| eventdate | 2020-11-17 18:22:02.272 | timestamp | ||
| hostname | usmdnsp1abdds02 | str | ||
| eventType | query | str | ||
| srcIp | 10.232.19.43 | ip | ||
| srcPort | 64852 | int | ||
| queriedResource | 12.in-addr.arpa.mtl.pepito.com | str | ||
| view | Internal | str | ||
| queryRecordType | PTR | str | ||
| flags | +E(0)D | str | ||
| dnsServerId | @0x7f1af810c0b0 | str | ||
| dnsServerIp | 10.234.164.22 | ip | ||
| dnsServerPort | null | str | ||
| responseCode | null | str | ||
| protocol | null | str | ||
| responseDatetime | null | timestamp | ||
| resolvedResources | null | str | resolvedResources = ifthenelse(endswith(resolvedResources_tmp, "."), replaceall(substring(resolvedResources_tmp, 0, length(resolvedResources_tmp) - 2), ".,", ",") , replaceall(resolvedResources_tmp, ".,", ",")); | resolvedResourcesArray: [str]{dstar}; resolvedResources_tmp = join(resolvedResourcesArray, ",") {public}; |
| resResRecordType | null | str | resResRecordType = join(resResRecordTypeArray, ","); | resResRecordTypeArray: [str]{dstar}; |
| resResTtl | null | str | resResTtl = join(resResTtlArray, ","); | resResTtlArray: [str]{dstar}; |
| rawSource | client @0x7f1af810c0b0 10.232.19.43#64852 (12.in-addr.arpa.mtl.pepito.com): view Internal: query: 12.in-addr.arpa.mtl.pepito.com IN PTR +E(0)D (10.234.164.22) | str |
...