After the successful Setup of our Elasticsearch Cluster we noticed that the logs of the bind nameserver are not really stored in the index of the filebeat agent in a meaningful way.
so what can you do to solve this problem?
First for the Insiders the Module can be donwloaded here: rwbind.tar
if you prefer the manual way here is the ingest-pipeline:
[
{
"grok": {
"field": "message",
"patterns": [
"^%{TIMESTAMP_ISO8601:timestamp} queries: %{LOGLEVEL:loglevel}: client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:clientip}#%{POSINT:clientport} \\(%{GREEDYDATA:query}\\): query: %{GREEDYDATA:query} IN %{GREEDYDATA:querytype} \\(%{IP:dnsserver}\\)"
]
}
},
{
"date": {
"timezone": "+0100",
"field": "timestamp",
"formats": [
"ISO8601"
],
"target_field": "@timestamp"
}
},
{
"rename": {
"target_field": "client.port",
"field": "clientport"
}
},
{
"rename": {
"ignore_missing": true,
"field": "clientip",
"target_field": "client.ip"
}
},
{
"remove": {
"field": "timestamp",
"ignore_missing": true
}
}
]have fun Raffael