Need to filter based on domain portion of query log entry

Q & ANeed to filter based on domain portion of query log entry
Robert Webb asked 4 months ago

So I have a situation where I need to take a list of domains, ie., and send those entries from Bind’s query log to a separate log file. Given that the fqdn is delivered in the MSG section, how can I parse out out of and match to my list?
Once I have the parsing and filter done, the sending to a specific file I am good with.
The list file would only have “” in it.

1 Answers
Róbert Fekete Staff answered 4 months ago

Hi, since Bind query logs are not really structured, you can either:
 * Use the pattern database feature of syslog-ng to write a pattern that matches these messages, and extract the needed data. This sample database might actually work for you: For details on pattern databases, see Note that you might need to use a further parser to split the unneeded part of the fqdn (for example, a csv parser, or the substr template function)
 * If you need a lot of custom processing for these logs, it might be easier to write a custom python parser ( ). Note that Python parser requires a recent version of syslog-ng.