dns.bluecat
- Juan Tomás Alonso Nieto (Unlicensed)
The tags beginning with dns.bluecat identify events generated by the Bluecat Domain Name System (DNS).
Valid tags and data tables
This tag must have three levels. The first two are fixed as dns.bluecat. The third level identifies the type of events sent.
Technology | Brand | Type |
|---|---|---|
dns | bluecat | named |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
| dns.bluecat.named | dns.bluecat.named |
How is the data sent to Devo?
You can forward logs generated by Bluecat using any Syslog drain (for example, Syslog-ng). Learn more about how to send Bluecat logs and their structure here.
Log samples
The following are sample logs sent to each of the dns.bluecat data tables. In addition, find how the information will be parsed in your data table under the sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
dns.bluecat.named
2020-11-17 18:22:02.272 usmdnsp1abdds02=165.225.50.94 dns.bluecat.named: client @0x7f1af810c0b0 10.232.19.43#64852 (12.in-addr.arpa.mtl.pepito.com): view Internal: query: 12.in-addr.arpa.mtl.pepito.com IN PTR +E(0)D (10.234.164.22) 2018-04-23 13:51:59.025 localhost=127.0.0.1 dns.bluecat.named.cef: 0|BCN|BDDS_DNS|8.1.1|DNS_Query|DNS query|1|cat=A_record src=10.194.101.141 cs1=ssl.gstatic.com cs1Label=query
This is how the logs would be parsed:
| Field | Value | Type | Field transformation | Source field name |
|---|---|---|---|---|
| eventdate | 2020-11-17 18:22:02.272 | timestamp | ||
| hostname | usmdnsp1abdds02 | str | ||
| eventType | query | str | ||
| srcIp | 10.232.19.43 | ip | ||
| srcPort | 64852 | int | ||
| queriedResource | 12.in-addr.arpa.mtl.pepito.com | str | ||
| view | Internal | str | ||
| queryRecordType | PTR | str | ||
| flags | +E(0)D | str | ||
| dnsServerId | @0x7f1af810c0b0 | str | ||
| dnsServerIp | 10.234.164.22 | ip | ||
| dnsServerPort | null | str | ||
| responseCode | null | str | ||
| protocol | null | str | ||
| responseDatetime | null | timestamp | ||
| resolvedResources | null | str | resolvedResources = ifthenelse(endswith(resolvedResources_tmp, "."), replaceall(substring(resolvedResources_tmp, 0, length(resolvedResources_tmp) - 2), ".,", ",") , replaceall(resolvedResources_tmp, ".,", ",")); | resolvedResourcesArray: [str]{dstar}; resolvedResources_tmp = join(resolvedResourcesArray, ",") {public}; |
| resResRecordType | null | str | resResRecordType = join(resResRecordTypeArray, ","); | resResRecordTypeArray: [str]{dstar}; |
| resResTtl | null | str | resResTtl = join(resResTtlArray, ","); | resResTtlArray: [str]{dstar}; |
| rawSource | client @0x7f1af810c0b0 10.232.19.43#64852 (12.in-addr.arpa.mtl.pepito.com): view Internal: query: 12.in-addr.arpa.mtl.pepito.com IN PTR +E(0)D (10.234.164.22) | str |