This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

dnsmasq log parser - does one exist already - what meta keys to use?

Anonymous
Not applicable

‎2021-10-23 08:24 PM

I'm looking to potentially write a log parser for dnsmasq logs from a PiHole device and I have two questions.

1. Is there an already existing parser available.

2. I've included some example output below and was wondering what meta keys would be best practice to use when writing the parser.

Thanks

Oct 24 01:20:52 dnsmasq[7424]: gravity blocked snowplow.swm.digital is 0.0.0.0
Oct 24 01:20:56 dnsmasq[7424]: query[A] www.google.com from 10.61.43.31
Oct 24 01:20:56 dnsmasq[7424]: cached www.google.com is 172.217.167.100
Oct 24 01:20:57 dnsmasq[7424]: query[A] googleads.g.doubleclick.net from 10.61.43.31
Oct 24 01:20:57 dnsmasq[7424]: gravity blocked googleads.g.doubleclick.net is 0.0.0.0
Oct 24 01:20:58 dnsmasq[7424]: query[A] s.amazon-adsystem.com from 10.61.43.31
Oct 24 01:20:58 dnsmasq[7424]: gravity blocked s.amazon-adsystem.com is 0.0.0.0
Oct 24 01:20:58 dnsmasq[7424]: query[A] aax-us-east.amazon-adsystem.com from 10.61.43.31
Oct 24 01:20:58 dnsmasq[7424]: gravity blocked aax-us-east.amazon-adsystem.com is 0.0.0.0
Oct 24 01:20:59 dnsmasq[7424]: query[A] nrdp.prod.ftl.netflix.com from 10.61.43.12
Oct 24 01:20:59 dnsmasq[7424]: cached nrdp.prod.ftl.netflix.com is <CNAME>
Oct 24 01:20:59 dnsmasq[7424]: forwarded nrdp.prod.ftl.netflix.com to 8.8.4.4
Oct 24 01:20:59 dnsmasq[7424]: reply nrdp.prod.ftl.netflix.com is <CNAME>
Oct 24 01:20:59 dnsmasq[7424]: reply nrdp-ixanycast.ftl.netflix.com is 45.57.41.1
Oct 24 01:20:59 dnsmasq[7424]: reply nrdp-ixanycast.ftl.netflix.com is 45.57.40.1
Oct 24 01:21:07 dnsmasq[7424]: query[A] linkedin.com from 10.61.43.19
Oct 24 01:21:07 dnsmasq[7424]: forwarded linkedin.com to 8.8.4.4

 

0 Likes
2 REPLIES 2

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2021-10-27 11:30 AM

Here is a parser I built for a pihole device which uses dnsmask.  I just added in support for your logs as well.  

 

If you look at the header02, this matches your logs and statically assigns the message ID of dnsmask

 

<HEADER
id1="HDR2"
id2="HDR2"
messageid="STRCAT('dnsmask')"
content="&lt;hmonth&gt;&lt;hday&gt;&lt;htime&gt;dnsmasq[&lt;hfld1&gt;]:&lt;!payload&gt;"/>

 

Then the following lines will parse out each of your log messages:

<MESSAGE
id1="dnsmask"
id2="dnsmask"
functions="&lt;@action:Gravity Blocked&gt;"
content="gravity blocked&lt;hostname&gt;&lt;space&gt;is&lt;saddr&gt;"/>
<MESSAGE
id1="dnsmask:01"
id2="dnsmask"
functions="&lt;@action:query&gt;"
content="query[&lt;dns_querytype&gt;]&lt;hostname&gt;&lt;space&gt;from&lt;saddr&gt;"/>
<MESSAGE
id1="dnsmask:02"
id2="dnsmask"
functions="&lt;@action:Blocked During Inspection&gt;"
content="reply&lt;hostname&gt;&lt;space&gt;is blocked during&lt;dns_querytype&gt;inspection"/>
<MESSAGE
id1="dnsmask:03"
id2="dnsmask"
functions="&lt;@action:dns reply&gt;"
content="reply&lt;hostname&gt;&lt;space&gt;is{&lt;&lt;CNAME&gt;|NODATA-IPv6|NXDOMAIN|SERVFAIL|NODATA-IPv4}"/>
<MESSAGE
id1="dnsmask:04"
id2="dnsmask"
functions="&lt;@action:dns reply&gt;"
content="reply&lt;hostname&gt;&lt;space&gt;is&lt;daddr&gt;"/>
<MESSAGE
id1="dnsmask:05"
id2="dnsmask"
functions="&lt;@action:forward dns request&gt;"
content="forwarded&lt;hostname&gt;&lt;space&gt;to&lt;daddr&gt;"/>
<MESSAGE
id1="dnsmask:06"
id2="dnsmask"
content="cached&lt;fld1&gt;is&lt;fld2&gt;"/>

 

Hope this helps

 

Dave

 

 

Preview file
3 KB

Anonymous
Not applicable
In response to DaveGlover

‎2021-10-29 04:13 AM

That's great, thanks @DaveGlover , I'll give it a try.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.