I'm trying to drop DNS requests for internal names from our windows DNS logs. For a guide I am using an answer from this question:
https://answers.splunk.com/answers/35259/best-method-for-pulling-microsoft-dns-logs-with-splunk.html
We have two TLDs I'd like to filter out, for example bob.local and fred.local
I've added the following to my props.conf:
[win_dns]
TRANSFORMS-drop = win_dns_ignorelogs
And the following to my transforms.conf
[win_dns_ignorelogs]
REGEX =(?i)\.*(bob|fred)\.local
DEST_KEY = queue
FORMAT = nullQueue
And restarted Splunk.
One thing to note is that we have a SED command in the props.conf which replaces the standard formatting of the records from something like this:
13/12/2015 9:29:58 AM 0678 PACKET 0000000001FE2D10 TCP Rcv 127.0.0.1 4a3f Q [0001 D NOERROR] NS (8)bob(3)local(0)
To something like this:
13/12/2015 9:29:58 AM 0678 PACKET 0000000001FE2D10 TDP Rcv 127.0.0.1 4a3f Q [0001 D NOERROR] NS bob.local
Via and entry in the props.conf like this:
[source::win_dns]
SEDCMD-DNSZones1 = s/\s\(.{1,4}\)// s/\(.{1,4}\)$// s/\(.{1,4}\)/./g
When I test the regex in search like this:
sourcetype=win_dns questionName="bob.local" | regex _raw="(?i)\.*(bob|fred)\.local"
It matches the events I am expecting to drop. But the events are still being indexed. Can someone please help me out?
↧
