├── LICENSE ├── README.md ├── content_pack.json └── extractors_standalone.json /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Jared Orzechowski jaredo AT ameritech DOT net 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Windows DNS Content Pack (Outdated - Please Fork+Update) 2 | 3 | This version requires Graylog 3.1 minimum, check tags for previous versions. 4 | 5 | (Tested with Filebeats/Windows 2016 R2/Graylog 3.1) 6 | 7 | **Note this was built using filebeats as the log exporter. It is possible to use your own input with nxlog or alternatives but will require manually importing the extractors_standalone.json to the input.** 8 | 9 | Newer versions of nxLog with Gelf 1.1 support require an additional parameter for the gelf module "ShortMessageLength -1" 10 | 11 | ## Includes 12 | 13 | * Input (TCP_WindDNS_1555 - Beats/TCP/1555) w/ Extractors (WinDNS_Debug_Log, WinDNS_Name) 14 | * GROK Patterns (prefixed with WINDNS to avoid override) 15 | * Dashboards (DNS requests (24h), DNS requests (7d)) 16 | 17 | ## Requirements 18 | * Graylog 3.1 19 | * Windows DNS server configured for "Log packets for debugging" & "Packet direction: Incoming" 20 | * A log exporter/collector such as nxlog or filebeats monitoring the log file path specified in dns debug (e.g. c:\temp\dns_log.txt) 21 | * Create a dynamic ES template to force the ThreadID field type to "keyword", otherwise ES may dynamically map the field type as INT which would cause indexing errors later on when an alphanumeric ThreadID comes around. 22 | 23 | For example in ES 5+: 24 | ``` 25 | curl -XPUT localhost:9200/_template/graylog -d ' 26 | { 27 | "template":"graylog*", 28 | "settings":{ 29 | "index.refresh_interval":"30s" 30 | }, 31 | "mappings":{ 32 | "message":{ 33 | "properties":{ 34 | "ThreadID":{ 35 | "index":"true", 36 | "type":"keyword" 37 | } 38 | } 39 | } 40 | } 41 | }' 42 | ``` 43 | 44 | ## Filebeats/Sidecar Windows Configuration Example using variables ${user.dnslog_path} and ${user.graylog_server} 45 | ``` 46 | # Needed for Graylog 47 | fields_under_root: true 48 | fields.collector_node_id: ${sidecar.nodeName} 49 | fields.gl2_source_collector: ${sidecar.nodeId} 50 | 51 | filebeat.inputs: 52 | - input_type: log 53 | paths: 54 | - "${user.dnslog_path}" 55 | encoding: utf-8 56 | type: log 57 | output.logstash: 58 | hosts: ["${user.graylog_server}:1555"] 59 | path: 60 | data: "C:/Program Files/Graylog/sidecar/cache/winlogbeat/data" 61 | logs: "C:/Program Files/Graylog/sidecar/logs" 62 | ``` 63 | 64 | ## NXLog Configuration Example 65 | ``` 66 | define ROOT C:\Program Files (x86)\nxlog 67 | 68 | Moduledir %ROOT%\modules 69 | CacheDir %ROOT%\data 70 | Pidfile %ROOT%\data\nxlog.pid 71 | SpoolDir %ROOT%\data 72 | LogFile %ROOT%\data\nxlog.log 73 | 74 | 75 | Module xm_gelf 76 | ShortMessageLength -1 77 | 78 | 79 | 80 | Module im_file 81 | File "C:\dns.txt" 82 | SavePos TRUE 83 | InputType LineBased 84 | 85 | 86 | 87 | Module om_udp 88 | Host graylog.server.com 89 | Port 5414 90 | OutputType GELF 91 | 92 | 93 | 94 | Path dns => out 95 | 96 | ``` 97 | 98 | ## Screenshots 99 | 100 | ![Dashboard](http://i0.wp.com/www.ohjeah.net/wp-content/uploads/2015/09/windows_dns_logs.png) 101 | -------------------------------------------------------------------------------- /content_pack.json: -------------------------------------------------------------------------------- 1 | { 2 | "v": "1", 3 | "id": "05e59f56-dac0-410a-910d-a422f013ab68", 4 | "rev": 2, 5 | "name": "Windows DNS", 6 | "summary": "Windows DNS", 7 | "description": "Windows DNS Input (example)\nWindows DNS GROK Patterns\nTotal Request DNS Dashboard\nWindows DNS Extractor (included in repo)", 8 | "vendor": "Jared O. ", 9 | "url": "http://www.ohjeah.net", 10 | "parameters": [], 11 | "entities": [ 12 | { 13 | "v": "1", 14 | "type": { 15 | "name": "dashboard", 16 | "version": "1" 17 | }, 18 | "id": "3b865567-3c69-423e-8c3a-014ab97e28d6", 19 | "data": { 20 | "title": { 21 | "@type": "string", 22 | "@value": "DNS Requests (7d)" 23 | }, 24 | "description": { 25 | "@type": "string", 26 | "@value": "DNS Requests (7d)" 27 | }, 28 | "widgets": [ 29 | { 30 | "id": { 31 | "@type": "string", 32 | "@value": "88a4baf3-1841-4614-873a-8d5a53057217" 33 | }, 34 | "description": { 35 | "@type": "string", 36 | "@value": "Total Requests By Response (7d)" 37 | }, 38 | "type": { 39 | "@type": "string", 40 | "@value": "QUICKVALUES" 41 | }, 42 | "cache_time": { 43 | "@type": "integer", 44 | "@value": 10 45 | }, 46 | "time_range": { 47 | "type": { 48 | "@type": "string", 49 | "@value": "relative" 50 | }, 51 | "range": { 52 | "@type": "integer", 53 | "@value": 604800 54 | } 55 | }, 56 | "configuration": { 57 | "interval": { 58 | "@type": "string", 59 | "@value": "hour" 60 | }, 61 | "query": { 62 | "@type": "string", 63 | "@value": "Context:PACKET" 64 | }, 65 | "show_pie_chart": { 66 | "@type": "boolean", 67 | "@value": true 68 | }, 69 | "sort_order": { 70 | "@type": "string", 71 | "@value": "desc" 72 | }, 73 | "timerange": { 74 | "type": { 75 | "@type": "string", 76 | "@value": "relative" 77 | }, 78 | "range": { 79 | "@type": "integer", 80 | "@value": 604800 81 | } 82 | }, 83 | "stacked_fields": { 84 | "@type": "string", 85 | "@value": "" 86 | }, 87 | "data_table_limit": { 88 | "@type": "integer", 89 | "@value": 50 90 | }, 91 | "field": { 92 | "@type": "string", 93 | "@value": "Response" 94 | }, 95 | "show_data_table": { 96 | "@type": "boolean", 97 | "@value": true 98 | }, 99 | "limit": { 100 | "@type": "integer", 101 | "@value": 5 102 | } 103 | }, 104 | "position": { 105 | "width": { 106 | "@type": "integer", 107 | "@value": 2 108 | }, 109 | "height": { 110 | "@type": "integer", 111 | "@value": 6 112 | }, 113 | "row": { 114 | "@type": "integer", 115 | "@value": 3 116 | }, 117 | "col": { 118 | "@type": "integer", 119 | "@value": 1 120 | } 121 | } 122 | }, 123 | { 124 | "id": { 125 | "@type": "string", 126 | "@value": "adaeff04-5240-4776-840e-d36d62fcd014" 127 | }, 128 | "description": { 129 | "@type": "string", 130 | "@value": "Total Requests By Type (7d)" 131 | }, 132 | "type": { 133 | "@type": "string", 134 | "@value": "QUICKVALUES" 135 | }, 136 | "cache_time": { 137 | "@type": "integer", 138 | "@value": 10 139 | }, 140 | "time_range": { 141 | "type": { 142 | "@type": "string", 143 | "@value": "relative" 144 | }, 145 | "range": { 146 | "@type": "integer", 147 | "@value": 604800 148 | } 149 | }, 150 | "configuration": { 151 | "interval": { 152 | "@type": "string", 153 | "@value": "hour" 154 | }, 155 | "query": { 156 | "@type": "string", 157 | "@value": "Context:PACKET" 158 | }, 159 | "show_pie_chart": { 160 | "@type": "boolean", 161 | "@value": true 162 | }, 163 | "sort_order": { 164 | "@type": "string", 165 | "@value": "desc" 166 | }, 167 | "timerange": { 168 | "type": { 169 | "@type": "string", 170 | "@value": "relative" 171 | }, 172 | "range": { 173 | "@type": "integer", 174 | "@value": 604800 175 | } 176 | }, 177 | "stacked_fields": { 178 | "@type": "string", 179 | "@value": "" 180 | }, 181 | "data_table_limit": { 182 | "@type": "integer", 183 | "@value": 50 184 | }, 185 | "field": { 186 | "@type": "string", 187 | "@value": "QType" 188 | }, 189 | "show_data_table": { 190 | "@type": "boolean", 191 | "@value": true 192 | }, 193 | "limit": { 194 | "@type": "integer", 195 | "@value": 5 196 | } 197 | }, 198 | "position": { 199 | "width": { 200 | "@type": "integer", 201 | "@value": 2 202 | }, 203 | "height": { 204 | "@type": "integer", 205 | "@value": 6 206 | }, 207 | "row": { 208 | "@type": "integer", 209 | "@value": 3 210 | }, 211 | "col": { 212 | "@type": "integer", 213 | "@value": 5 214 | } 215 | } 216 | }, 217 | { 218 | "id": { 219 | "@type": "string", 220 | "@value": "d541aa7e-8bdd-4d4e-830b-18eb4b2aa555" 221 | }, 222 | "description": { 223 | "@type": "string", 224 | "@value": "Total Requests By Server (7d)" 225 | }, 226 | "type": { 227 | "@type": "string", 228 | "@value": "QUICKVALUES" 229 | }, 230 | "cache_time": { 231 | "@type": "integer", 232 | "@value": 10 233 | }, 234 | "time_range": { 235 | "type": { 236 | "@type": "string", 237 | "@value": "relative" 238 | }, 239 | "range": { 240 | "@type": "integer", 241 | "@value": 604800 242 | } 243 | }, 244 | "configuration": { 245 | "interval": { 246 | "@type": "string", 247 | "@value": "hour" 248 | }, 249 | "query": { 250 | "@type": "string", 251 | "@value": "Context:PACKET" 252 | }, 253 | "show_pie_chart": { 254 | "@type": "boolean", 255 | "@value": true 256 | }, 257 | "sort_order": { 258 | "@type": "string", 259 | "@value": "desc" 260 | }, 261 | "timerange": { 262 | "type": { 263 | "@type": "string", 264 | "@value": "relative" 265 | }, 266 | "range": { 267 | "@type": "integer", 268 | "@value": 604800 269 | } 270 | }, 271 | "stacked_fields": { 272 | "@type": "string", 273 | "@value": "" 274 | }, 275 | "data_table_limit": { 276 | "@type": "integer", 277 | "@value": 50 278 | }, 279 | "field": { 280 | "@type": "string", 281 | "@value": "source" 282 | }, 283 | "show_data_table": { 284 | "@type": "boolean", 285 | "@value": true 286 | }, 287 | "limit": { 288 | "@type": "integer", 289 | "@value": 5 290 | } 291 | }, 292 | "position": { 293 | "width": { 294 | "@type": "integer", 295 | "@value": 4 296 | }, 297 | "height": { 298 | "@type": "integer", 299 | "@value": 4 300 | }, 301 | "row": { 302 | "@type": "integer", 303 | "@value": 5 304 | }, 305 | "col": { 306 | "@type": "integer", 307 | "@value": 7 308 | } 309 | } 310 | }, 311 | { 312 | "id": { 313 | "@type": "string", 314 | "@value": "5050c058-e024-4661-9a2a-a32f3278f985" 315 | }, 316 | "description": { 317 | "@type": "string", 318 | "@value": "Total Requests By IP (7d)" 319 | }, 320 | "type": { 321 | "@type": "string", 322 | "@value": "QUICKVALUES" 323 | }, 324 | "cache_time": { 325 | "@type": "integer", 326 | "@value": 10 327 | }, 328 | "time_range": { 329 | "type": { 330 | "@type": "string", 331 | "@value": "relative" 332 | }, 333 | "range": { 334 | "@type": "integer", 335 | "@value": 604800 336 | } 337 | }, 338 | "configuration": { 339 | "interval": { 340 | "@type": "string", 341 | "@value": "hour" 342 | }, 343 | "query": { 344 | "@type": "string", 345 | "@value": "Context:PACKET" 346 | }, 347 | "show_pie_chart": { 348 | "@type": "boolean", 349 | "@value": true 350 | }, 351 | "sort_order": { 352 | "@type": "string", 353 | "@value": "desc" 354 | }, 355 | "timerange": { 356 | "type": { 357 | "@type": "string", 358 | "@value": "relative" 359 | }, 360 | "range": { 361 | "@type": "integer", 362 | "@value": 604800 363 | } 364 | }, 365 | "stacked_fields": { 366 | "@type": "string", 367 | "@value": "" 368 | }, 369 | "data_table_limit": { 370 | "@type": "integer", 371 | "@value": 50 372 | }, 373 | "field": { 374 | "@type": "string", 375 | "@value": "IP" 376 | }, 377 | "show_data_table": { 378 | "@type": "boolean", 379 | "@value": true 380 | }, 381 | "limit": { 382 | "@type": "integer", 383 | "@value": 5 384 | } 385 | }, 386 | "position": { 387 | "width": { 388 | "@type": "integer", 389 | "@value": 2 390 | }, 391 | "height": { 392 | "@type": "integer", 393 | "@value": 6 394 | }, 395 | "row": { 396 | "@type": "integer", 397 | "@value": 3 398 | }, 399 | "col": { 400 | "@type": "integer", 401 | "@value": 3 402 | } 403 | } 404 | }, 405 | { 406 | "id": { 407 | "@type": "string", 408 | "@value": "6bbbfc26-9f9f-4cac-9f22-4158b4c8c70a" 409 | }, 410 | "description": { 411 | "@type": "string", 412 | "@value": "Total Requests By Name (7d)" 413 | }, 414 | "type": { 415 | "@type": "string", 416 | "@value": "QUICKVALUES" 417 | }, 418 | "cache_time": { 419 | "@type": "integer", 420 | "@value": 10 421 | }, 422 | "time_range": { 423 | "type": { 424 | "@type": "string", 425 | "@value": "relative" 426 | }, 427 | "range": { 428 | "@type": "integer", 429 | "@value": 604800 430 | } 431 | }, 432 | "configuration": { 433 | "interval": { 434 | "@type": "string", 435 | "@value": "hour" 436 | }, 437 | "query": { 438 | "@type": "string", 439 | "@value": "Context:PACKET" 440 | }, 441 | "show_pie_chart": { 442 | "@type": "boolean", 443 | "@value": true 444 | }, 445 | "sort_order": { 446 | "@type": "string", 447 | "@value": "desc" 448 | }, 449 | "timerange": { 450 | "type": { 451 | "@type": "string", 452 | "@value": "relative" 453 | }, 454 | "range": { 455 | "@type": "integer", 456 | "@value": 604800 457 | } 458 | }, 459 | "stacked_fields": { 460 | "@type": "string", 461 | "@value": "" 462 | }, 463 | "data_table_limit": { 464 | "@type": "integer", 465 | "@value": 50 466 | }, 467 | "field": { 468 | "@type": "string", 469 | "@value": "Name" 470 | }, 471 | "show_data_table": { 472 | "@type": "boolean", 473 | "@value": true 474 | }, 475 | "limit": { 476 | "@type": "integer", 477 | "@value": 5 478 | } 479 | }, 480 | "position": { 481 | "width": { 482 | "@type": "integer", 483 | "@value": 4 484 | }, 485 | "height": { 486 | "@type": "integer", 487 | "@value": 4 488 | }, 489 | "row": { 490 | "@type": "integer", 491 | "@value": 1 492 | }, 493 | "col": { 494 | "@type": "integer", 495 | "@value": 7 496 | } 497 | } 498 | }, 499 | { 500 | "id": { 501 | "@type": "string", 502 | "@value": "d9995d90-6a41-4d7e-9a03-4bc025072de3" 503 | }, 504 | "description": { 505 | "@type": "string", 506 | "@value": "Total DNS Requests (7d)" 507 | }, 508 | "type": { 509 | "@type": "string", 510 | "@value": "SEARCH_RESULT_CHART" 511 | }, 512 | "cache_time": { 513 | "@type": "integer", 514 | "@value": 10 515 | }, 516 | "time_range": { 517 | "type": { 518 | "@type": "string", 519 | "@value": "relative" 520 | }, 521 | "range": { 522 | "@type": "integer", 523 | "@value": 604800 524 | } 525 | }, 526 | "configuration": { 527 | "interval": { 528 | "@type": "string", 529 | "@value": "hour" 530 | }, 531 | "timerange": { 532 | "type": { 533 | "@type": "string", 534 | "@value": "relative" 535 | }, 536 | "range": { 537 | "@type": "integer", 538 | "@value": 604800 539 | } 540 | }, 541 | "query": { 542 | "@type": "string", 543 | "@value": "Context:PACKET" 544 | } 545 | }, 546 | "position": { 547 | "width": { 548 | "@type": "integer", 549 | "@value": 6 550 | }, 551 | "height": { 552 | "@type": "integer", 553 | "@value": 2 554 | }, 555 | "row": { 556 | "@type": "integer", 557 | "@value": 1 558 | }, 559 | "col": { 560 | "@type": "integer", 561 | "@value": 1 562 | } 563 | } 564 | } 565 | ] 566 | }, 567 | "constraints": [ 568 | { 569 | "type": "server-version", 570 | "version": ">=3.1.0+aa5175e" 571 | } 572 | ] 573 | }, 574 | { 575 | "v": "1", 576 | "type": { 577 | "name": "dashboard", 578 | "version": "1" 579 | }, 580 | "id": "7dadb786-dddf-40f6-a616-9db6c3b18164", 581 | "data": { 582 | "title": { 583 | "@type": "string", 584 | "@value": "DNS Requests (24h)" 585 | }, 586 | "description": { 587 | "@type": "string", 588 | "@value": "DNS Requests (24h)" 589 | }, 590 | "widgets": [ 591 | { 592 | "id": { 593 | "@type": "string", 594 | "@value": "f4789dbb-b7e9-447a-955e-b01ebad9aa8c" 595 | }, 596 | "description": { 597 | "@type": "string", 598 | "@value": "Total Requests By Response (24h)" 599 | }, 600 | "type": { 601 | "@type": "string", 602 | "@value": "QUICKVALUES" 603 | }, 604 | "cache_time": { 605 | "@type": "integer", 606 | "@value": 10 607 | }, 608 | "time_range": { 609 | "type": { 610 | "@type": "string", 611 | "@value": "relative" 612 | }, 613 | "range": { 614 | "@type": "integer", 615 | "@value": 86400 616 | } 617 | }, 618 | "configuration": { 619 | "interval": { 620 | "@type": "string", 621 | "@value": "minute" 622 | }, 623 | "query": { 624 | "@type": "string", 625 | "@value": "Context:PACKET" 626 | }, 627 | "show_pie_chart": { 628 | "@type": "boolean", 629 | "@value": true 630 | }, 631 | "sort_order": { 632 | "@type": "string", 633 | "@value": "desc" 634 | }, 635 | "timerange": { 636 | "type": { 637 | "@type": "string", 638 | "@value": "relative" 639 | }, 640 | "range": { 641 | "@type": "integer", 642 | "@value": 86400 643 | } 644 | }, 645 | "stacked_fields": { 646 | "@type": "string", 647 | "@value": "" 648 | }, 649 | "data_table_limit": { 650 | "@type": "integer", 651 | "@value": 50 652 | }, 653 | "field": { 654 | "@type": "string", 655 | "@value": "Response" 656 | }, 657 | "show_data_table": { 658 | "@type": "boolean", 659 | "@value": true 660 | }, 661 | "limit": { 662 | "@type": "integer", 663 | "@value": 5 664 | } 665 | }, 666 | "position": { 667 | "width": { 668 | "@type": "integer", 669 | "@value": 2 670 | }, 671 | "height": { 672 | "@type": "integer", 673 | "@value": 6 674 | }, 675 | "row": { 676 | "@type": "integer", 677 | "@value": 3 678 | }, 679 | "col": { 680 | "@type": "integer", 681 | "@value": 1 682 | } 683 | } 684 | }, 685 | { 686 | "id": { 687 | "@type": "string", 688 | "@value": "237f925e-dae2-4b63-b6b4-da77b678d71c" 689 | }, 690 | "description": { 691 | "@type": "string", 692 | "@value": "Total Requests By IP (24h)" 693 | }, 694 | "type": { 695 | "@type": "string", 696 | "@value": "QUICKVALUES" 697 | }, 698 | "cache_time": { 699 | "@type": "integer", 700 | "@value": 10 701 | }, 702 | "time_range": { 703 | "type": { 704 | "@type": "string", 705 | "@value": "relative" 706 | }, 707 | "range": { 708 | "@type": "integer", 709 | "@value": 86400 710 | } 711 | }, 712 | "configuration": { 713 | "interval": { 714 | "@type": "string", 715 | "@value": "minute" 716 | }, 717 | "query": { 718 | "@type": "string", 719 | "@value": "Context:PACKET" 720 | }, 721 | "show_pie_chart": { 722 | "@type": "boolean", 723 | "@value": true 724 | }, 725 | "sort_order": { 726 | "@type": "string", 727 | "@value": "desc" 728 | }, 729 | "timerange": { 730 | "type": { 731 | "@type": "string", 732 | "@value": "relative" 733 | }, 734 | "range": { 735 | "@type": "integer", 736 | "@value": 86400 737 | } 738 | }, 739 | "stacked_fields": { 740 | "@type": "string", 741 | "@value": "" 742 | }, 743 | "data_table_limit": { 744 | "@type": "integer", 745 | "@value": 50 746 | }, 747 | "field": { 748 | "@type": "string", 749 | "@value": "IP" 750 | }, 751 | "show_data_table": { 752 | "@type": "boolean", 753 | "@value": true 754 | }, 755 | "limit": { 756 | "@type": "integer", 757 | "@value": 5 758 | } 759 | }, 760 | "position": { 761 | "width": { 762 | "@type": "integer", 763 | "@value": 4 764 | }, 765 | "height": { 766 | "@type": "integer", 767 | "@value": 4 768 | }, 769 | "row": { 770 | "@type": "integer", 771 | "@value": 5 772 | }, 773 | "col": { 774 | "@type": "integer", 775 | "@value": 7 776 | } 777 | } 778 | }, 779 | { 780 | "id": { 781 | "@type": "string", 782 | "@value": "7a318462-2637-4fcb-b5d8-cc142a52b5dc" 783 | }, 784 | "description": { 785 | "@type": "string", 786 | "@value": "Total Requests By Name (24h)" 787 | }, 788 | "type": { 789 | "@type": "string", 790 | "@value": "QUICKVALUES" 791 | }, 792 | "cache_time": { 793 | "@type": "integer", 794 | "@value": 10 795 | }, 796 | "time_range": { 797 | "type": { 798 | "@type": "string", 799 | "@value": "relative" 800 | }, 801 | "range": { 802 | "@type": "integer", 803 | "@value": 86400 804 | } 805 | }, 806 | "configuration": { 807 | "interval": { 808 | "@type": "string", 809 | "@value": "minute" 810 | }, 811 | "query": { 812 | "@type": "string", 813 | "@value": "Context:PACKET" 814 | }, 815 | "show_pie_chart": { 816 | "@type": "boolean", 817 | "@value": true 818 | }, 819 | "sort_order": { 820 | "@type": "string", 821 | "@value": "desc" 822 | }, 823 | "timerange": { 824 | "type": { 825 | "@type": "string", 826 | "@value": "relative" 827 | }, 828 | "range": { 829 | "@type": "integer", 830 | "@value": 86400 831 | } 832 | }, 833 | "stacked_fields": { 834 | "@type": "string", 835 | "@value": "" 836 | }, 837 | "data_table_limit": { 838 | "@type": "integer", 839 | "@value": 50 840 | }, 841 | "field": { 842 | "@type": "string", 843 | "@value": "Name" 844 | }, 845 | "show_data_table": { 846 | "@type": "boolean", 847 | "@value": true 848 | }, 849 | "limit": { 850 | "@type": "integer", 851 | "@value": 5 852 | } 853 | }, 854 | "position": { 855 | "width": { 856 | "@type": "integer", 857 | "@value": 4 858 | }, 859 | "height": { 860 | "@type": "integer", 861 | "@value": 4 862 | }, 863 | "row": { 864 | "@type": "integer", 865 | "@value": 1 866 | }, 867 | "col": { 868 | "@type": "integer", 869 | "@value": 7 870 | } 871 | } 872 | }, 873 | { 874 | "id": { 875 | "@type": "string", 876 | "@value": "63a1f637-085b-4f06-b82e-46c10c033d51" 877 | }, 878 | "description": { 879 | "@type": "string", 880 | "@value": "Total Requests By Type (24h)" 881 | }, 882 | "type": { 883 | "@type": "string", 884 | "@value": "QUICKVALUES" 885 | }, 886 | "cache_time": { 887 | "@type": "integer", 888 | "@value": 10 889 | }, 890 | "time_range": { 891 | "type": { 892 | "@type": "string", 893 | "@value": "relative" 894 | }, 895 | "range": { 896 | "@type": "integer", 897 | "@value": 86400 898 | } 899 | }, 900 | "configuration": { 901 | "interval": { 902 | "@type": "string", 903 | "@value": "minute" 904 | }, 905 | "query": { 906 | "@type": "string", 907 | "@value": "Context:PACKET" 908 | }, 909 | "show_pie_chart": { 910 | "@type": "boolean", 911 | "@value": true 912 | }, 913 | "sort_order": { 914 | "@type": "string", 915 | "@value": "desc" 916 | }, 917 | "timerange": { 918 | "type": { 919 | "@type": "string", 920 | "@value": "relative" 921 | }, 922 | "range": { 923 | "@type": "integer", 924 | "@value": 86400 925 | } 926 | }, 927 | "stacked_fields": { 928 | "@type": "string", 929 | "@value": "" 930 | }, 931 | "data_table_limit": { 932 | "@type": "integer", 933 | "@value": 50 934 | }, 935 | "field": { 936 | "@type": "string", 937 | "@value": "QType" 938 | }, 939 | "show_data_table": { 940 | "@type": "boolean", 941 | "@value": true 942 | }, 943 | "limit": { 944 | "@type": "integer", 945 | "@value": 5 946 | } 947 | }, 948 | "position": { 949 | "width": { 950 | "@type": "integer", 951 | "@value": 2 952 | }, 953 | "height": { 954 | "@type": "integer", 955 | "@value": 6 956 | }, 957 | "row": { 958 | "@type": "integer", 959 | "@value": 3 960 | }, 961 | "col": { 962 | "@type": "integer", 963 | "@value": 3 964 | } 965 | } 966 | }, 967 | { 968 | "id": { 969 | "@type": "string", 970 | "@value": "a42a0783-2a91-49de-8349-1f8c6512dd07" 971 | }, 972 | "description": { 973 | "@type": "string", 974 | "@value": "Total Requests By Server (24h)" 975 | }, 976 | "type": { 977 | "@type": "string", 978 | "@value": "QUICKVALUES" 979 | }, 980 | "cache_time": { 981 | "@type": "integer", 982 | "@value": 10 983 | }, 984 | "time_range": { 985 | "type": { 986 | "@type": "string", 987 | "@value": "relative" 988 | }, 989 | "range": { 990 | "@type": "integer", 991 | "@value": 86400 992 | } 993 | }, 994 | "configuration": { 995 | "interval": { 996 | "@type": "string", 997 | "@value": "minute" 998 | }, 999 | "query": { 1000 | "@type": "string", 1001 | "@value": "Context:PACKET" 1002 | }, 1003 | "show_pie_chart": { 1004 | "@type": "boolean", 1005 | "@value": true 1006 | }, 1007 | "sort_order": { 1008 | "@type": "string", 1009 | "@value": "desc" 1010 | }, 1011 | "timerange": { 1012 | "type": { 1013 | "@type": "string", 1014 | "@value": "relative" 1015 | }, 1016 | "range": { 1017 | "@type": "integer", 1018 | "@value": 86400 1019 | } 1020 | }, 1021 | "stacked_fields": { 1022 | "@type": "string", 1023 | "@value": "" 1024 | }, 1025 | "data_table_limit": { 1026 | "@type": "integer", 1027 | "@value": 50 1028 | }, 1029 | "field": { 1030 | "@type": "string", 1031 | "@value": "source" 1032 | }, 1033 | "show_data_table": { 1034 | "@type": "boolean", 1035 | "@value": true 1036 | }, 1037 | "limit": { 1038 | "@type": "integer", 1039 | "@value": 5 1040 | } 1041 | }, 1042 | "position": { 1043 | "width": { 1044 | "@type": "integer", 1045 | "@value": 2 1046 | }, 1047 | "height": { 1048 | "@type": "integer", 1049 | "@value": 6 1050 | }, 1051 | "row": { 1052 | "@type": "integer", 1053 | "@value": 3 1054 | }, 1055 | "col": { 1056 | "@type": "integer", 1057 | "@value": 5 1058 | } 1059 | } 1060 | }, 1061 | { 1062 | "id": { 1063 | "@type": "string", 1064 | "@value": "e18c73be-1d0f-42fa-b3a5-3be1c6f68f1c" 1065 | }, 1066 | "description": { 1067 | "@type": "string", 1068 | "@value": "Total DNS Requests (24h)" 1069 | }, 1070 | "type": { 1071 | "@type": "string", 1072 | "@value": "SEARCH_RESULT_CHART" 1073 | }, 1074 | "cache_time": { 1075 | "@type": "integer", 1076 | "@value": 10 1077 | }, 1078 | "time_range": { 1079 | "type": { 1080 | "@type": "string", 1081 | "@value": "relative" 1082 | }, 1083 | "range": { 1084 | "@type": "integer", 1085 | "@value": 86400 1086 | } 1087 | }, 1088 | "configuration": { 1089 | "interval": { 1090 | "@type": "string", 1091 | "@value": "minute" 1092 | }, 1093 | "timerange": { 1094 | "type": { 1095 | "@type": "string", 1096 | "@value": "relative" 1097 | }, 1098 | "range": { 1099 | "@type": "integer", 1100 | "@value": 86400 1101 | } 1102 | }, 1103 | "query": { 1104 | "@type": "string", 1105 | "@value": "Context:PACKET" 1106 | } 1107 | }, 1108 | "position": { 1109 | "width": { 1110 | "@type": "integer", 1111 | "@value": 6 1112 | }, 1113 | "height": { 1114 | "@type": "integer", 1115 | "@value": 2 1116 | }, 1117 | "row": { 1118 | "@type": "integer", 1119 | "@value": 1 1120 | }, 1121 | "col": { 1122 | "@type": "integer", 1123 | "@value": 1 1124 | } 1125 | } 1126 | } 1127 | ] 1128 | }, 1129 | "constraints": [ 1130 | { 1131 | "type": "server-version", 1132 | "version": ">=3.1.0+aa5175e" 1133 | } 1134 | ] 1135 | }, 1136 | { 1137 | "v": "1", 1138 | "type": { 1139 | "name": "grok_pattern", 1140 | "version": "1" 1141 | }, 1142 | "id": "3bf7b255-f3da-447d-87f5-84026d311474", 1143 | "data": { 1144 | "name": "WINDNS_NOTSPACE", 1145 | "pattern": "\\S+" 1146 | }, 1147 | "constraints": [ 1148 | { 1149 | "type": "server-version", 1150 | "version": ">=3.1.0+aa5175e" 1151 | } 1152 | ] 1153 | }, 1154 | { 1155 | "v": "1", 1156 | "type": { 1157 | "name": "grok_pattern", 1158 | "version": "1" 1159 | }, 1160 | "id": "7d8cb619-dfc7-467a-932f-77a55ee72ab8", 1161 | "data": { 1162 | "name": "WINDNS_OPCODE", 1163 | "pattern": "([A-Z]{1})" 1164 | }, 1165 | "constraints": [ 1166 | { 1167 | "type": "server-version", 1168 | "version": ">=3.1.0+aa5175e" 1169 | } 1170 | ] 1171 | }, 1172 | { 1173 | "v": "1", 1174 | "type": { 1175 | "name": "grok_pattern", 1176 | "version": "1" 1177 | }, 1178 | "id": "38d110df-2ecd-477b-b279-bd29abc2e8f9", 1179 | "data": { 1180 | "name": "WINDNS_XID", 1181 | "pattern": "([a-z0-9]{4})" 1182 | }, 1183 | "constraints": [ 1184 | { 1185 | "type": "server-version", 1186 | "version": ">=3.1.0+aa5175e" 1187 | } 1188 | ] 1189 | }, 1190 | { 1191 | "v": "1", 1192 | "type": { 1193 | "name": "grok_pattern", 1194 | "version": "1" 1195 | }, 1196 | "id": "de25224a-ae6b-4e2e-b99c-55c1a1dd3b80", 1197 | "data": { 1198 | "name": "WINDNS_THREADID", 1199 | "pattern": "[a-zA-Z0-9]{4}" 1200 | }, 1201 | "constraints": [ 1202 | { 1203 | "type": "server-version", 1204 | "version": ">=3.1.0+aa5175e" 1205 | } 1206 | ] 1207 | }, 1208 | { 1209 | "v": "1", 1210 | "type": { 1211 | "name": "grok_pattern", 1212 | "version": "1" 1213 | }, 1214 | "id": "874ba961-47f2-4cf4-9b66-a3fde2c7114c", 1215 | "data": { 1216 | "name": "WINDNS_FLAGSCHAR", 1217 | "pattern": "(\\s+[A|T|D|R]{1,4}\\s+)|(\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+)|(\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+)|\\s+" 1218 | }, 1219 | "constraints": [ 1220 | { 1221 | "type": "server-version", 1222 | "version": ">=3.1.0+aa5175e" 1223 | } 1224 | ] 1225 | }, 1226 | { 1227 | "v": "1", 1228 | "type": { 1229 | "name": "grok_pattern", 1230 | "version": "1" 1231 | }, 1232 | "id": "fcb1f819-4a03-4c77-9727-3f57915f6237", 1233 | "data": { 1234 | "name": "WINDNS_RESPONSE", 1235 | "pattern": "([A-Z]+)" 1236 | }, 1237 | "constraints": [ 1238 | { 1239 | "type": "server-version", 1240 | "version": ">=3.1.0+aa5175e" 1241 | } 1242 | ] 1243 | }, 1244 | { 1245 | "v": "1", 1246 | "type": { 1247 | "name": "grok_pattern", 1248 | "version": "1" 1249 | }, 1250 | "id": "e1e06c96-5275-4377-a5ca-48a63cf7dcec", 1251 | "data": { 1252 | "name": "WINDNS_NAME", 1253 | "pattern": "(?:\\s+.+|)" 1254 | }, 1255 | "constraints": [ 1256 | { 1257 | "type": "server-version", 1258 | "version": ">=3.1.0+aa5175e" 1259 | } 1260 | ] 1261 | }, 1262 | { 1263 | "v": "1", 1264 | "type": { 1265 | "name": "grok_pattern", 1266 | "version": "1" 1267 | }, 1268 | "id": "1ba21a73-48b9-4bc6-aa2c-a2df217a9842", 1269 | "data": { 1270 | "name": "WINDNS_IP", 1271 | "pattern": "(?=3.1.0+aa5175e" 1277 | } 1278 | ] 1279 | }, 1280 | { 1281 | "v": "1", 1282 | "type": { 1283 | "name": "grok_pattern", 1284 | "version": "1" 1285 | }, 1286 | "id": "a3d71d65-a1fc-4693-b407-46e51f3a0e6f", 1287 | "data": { 1288 | "name": "WINDNS_QUERYRESP", 1289 | "pattern": "(\\s+R\\s+|\\s+)" 1290 | }, 1291 | "constraints": [ 1292 | { 1293 | "type": "server-version", 1294 | "version": ">=3.1.0+aa5175e" 1295 | } 1296 | ] 1297 | }, 1298 | { 1299 | "v": "1", 1300 | "type": { 1301 | "name": "grok_pattern", 1302 | "version": "1" 1303 | }, 1304 | "id": "5093081c-c245-4eb3-99e9-d2adeda217d9", 1305 | "data": { 1306 | "name": "WINDNS_QTYPE", 1307 | "pattern": "(?:\\s\\S+|)" 1308 | }, 1309 | "constraints": [ 1310 | { 1311 | "type": "server-version", 1312 | "version": ">=3.1.0+aa5175e" 1313 | } 1314 | ] 1315 | }, 1316 | { 1317 | "v": "1", 1318 | "type": { 1319 | "name": "grok_pattern", 1320 | "version": "1" 1321 | }, 1322 | "id": "426172e7-0f2f-4d16-b401-ab00e4015567", 1323 | "data": { 1324 | "name": "WINDNS_SNDRCV", 1325 | "pattern": "(Snd|Rcv)" 1326 | }, 1327 | "constraints": [ 1328 | { 1329 | "type": "server-version", 1330 | "version": ">=3.1.0+aa5175e" 1331 | } 1332 | ] 1333 | }, 1334 | { 1335 | "v": "1", 1336 | "type": { 1337 | "name": "grok_pattern", 1338 | "version": "1" 1339 | }, 1340 | "id": "33637a01-30f2-49af-aca1-80656c909b33", 1341 | "data": { 1342 | "name": "WINDNS_FLAGSHEX", 1343 | "pattern": "([0-9]+)" 1344 | }, 1345 | "constraints": [ 1346 | { 1347 | "type": "server-version", 1348 | "version": ">=3.1.0+aa5175e" 1349 | } 1350 | ] 1351 | }, 1352 | { 1353 | "v": "1", 1354 | "type": { 1355 | "name": "grok_pattern", 1356 | "version": "1" 1357 | }, 1358 | "id": "09f97c59-9628-44cc-b2b9-856dde261663", 1359 | "data": { 1360 | "name": "WINDNS_BASE16NUM", 1361 | "pattern": "(?=3.1.0+aa5175e" 1367 | } 1368 | ] 1369 | }, 1370 | { 1371 | "v": "1", 1372 | "type": { 1373 | "name": "grok_pattern", 1374 | "version": "1" 1375 | }, 1376 | "id": "d49a1534-640c-4024-913c-c0a908510829", 1377 | "data": { 1378 | "name": "WINDNS_TIME", 1379 | "pattern": "(?:0?[1-9]|1[0-2])[/-](?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])[/-](?>\\d\\d){1,2}\\s(?!<[0-9])(?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)\\s(A|P)M" 1380 | }, 1381 | "constraints": [ 1382 | { 1383 | "type": "server-version", 1384 | "version": ">=3.1.0+aa5175e" 1385 | } 1386 | ] 1387 | }, 1388 | { 1389 | "v": "1", 1390 | "type": { 1391 | "name": "grok_pattern", 1392 | "version": "1" 1393 | }, 1394 | "id": "50fd7373-a652-4908-a9ae-2e06f48919ab", 1395 | "data": { 1396 | "name": "WINDNS_PROTOCOL", 1397 | "pattern": "(UDP|TCP)" 1398 | }, 1399 | "constraints": [ 1400 | { 1401 | "type": "server-version", 1402 | "version": ">=3.1.0+aa5175e" 1403 | } 1404 | ] 1405 | }, 1406 | { 1407 | "v": "1", 1408 | "type": { 1409 | "name": "input", 1410 | "version": "1" 1411 | }, 1412 | "id": "9e6f7b59-63a1-4a63-af32-f6875f1721b0", 1413 | "data": { 1414 | "title": { 1415 | "@type": "string", 1416 | "@value": "TCP_WinDNS_1555" 1417 | }, 1418 | "configuration": { 1419 | "tls_key_file": { 1420 | "@type": "string", 1421 | "@value": "" 1422 | }, 1423 | "port": { 1424 | "@type": "integer", 1425 | "@value": 1555 1426 | }, 1427 | "tls_enable": { 1428 | "@type": "boolean", 1429 | "@value": false 1430 | }, 1431 | "recv_buffer_size": { 1432 | "@type": "integer", 1433 | "@value": 1048576 1434 | }, 1435 | "tcp_keepalive": { 1436 | "@type": "boolean", 1437 | "@value": false 1438 | }, 1439 | "tls_client_auth_cert_file": { 1440 | "@type": "string", 1441 | "@value": "" 1442 | }, 1443 | "bind_address": { 1444 | "@type": "string", 1445 | "@value": "0.0.0.0" 1446 | }, 1447 | "no_beats_prefix": { 1448 | "@type": "boolean", 1449 | "@value": false 1450 | }, 1451 | "tls_cert_file": { 1452 | "@type": "string", 1453 | "@value": "" 1454 | }, 1455 | "tls_client_auth": { 1456 | "@type": "string", 1457 | "@value": "disabled" 1458 | }, 1459 | "tls_key_password": { 1460 | "@type": "string", 1461 | "@value": "" 1462 | } 1463 | }, 1464 | "static_fields": {}, 1465 | "type": { 1466 | "@type": "string", 1467 | "@value": "org.graylog.plugins.beats.Beats2Input" 1468 | }, 1469 | "global": { 1470 | "@type": "boolean", 1471 | "@value": true 1472 | }, 1473 | "extractors": [ 1474 | { 1475 | "target_field": { 1476 | "@type": "string", 1477 | "@value": "Name" 1478 | }, 1479 | "condition_value": { 1480 | "@type": "string", 1481 | "@value": "\\([0-9]+\\)" 1482 | }, 1483 | "order": { 1484 | "@type": "integer", 1485 | "@value": 0 1486 | }, 1487 | "converters": [], 1488 | "configuration": { 1489 | "regex": { 1490 | "@type": "string", 1491 | "@value": "\\([0-9]+\\)" 1492 | }, 1493 | "replacement": { 1494 | "@type": "string", 1495 | "@value": "." 1496 | }, 1497 | "replace_all": { 1498 | "@type": "boolean", 1499 | "@value": true 1500 | } 1501 | }, 1502 | "source_field": { 1503 | "@type": "string", 1504 | "@value": "Name" 1505 | }, 1506 | "title": { 1507 | "@type": "string", 1508 | "@value": "WinDNS_Name" 1509 | }, 1510 | "type": { 1511 | "@type": "string", 1512 | "@value": "REGEX_REPLACE" 1513 | }, 1514 | "cursor_strategy": { 1515 | "@type": "string", 1516 | "@value": "CUT" 1517 | }, 1518 | "condition_type": { 1519 | "@type": "string", 1520 | "@value": "REGEX" 1521 | } 1522 | }, 1523 | { 1524 | "target_field": { 1525 | "@type": "string", 1526 | "@value": "" 1527 | }, 1528 | "condition_value": { 1529 | "@type": "string", 1530 | "@value": " PACKET\\s+[A-Z0-9]{16}\\s+UDP|TCP\\s" 1531 | }, 1532 | "order": { 1533 | "@type": "integer", 1534 | "@value": 0 1535 | }, 1536 | "converters": [], 1537 | "configuration": { 1538 | "grok_pattern": { 1539 | "@type": "string", 1540 | "@value": "%{WINDNS_TIME:Time} +%{WINDNS_THREADID:ThreadID} +%{WINDNS_NOTSPACE:Context} +%{WINDNS_BASE16NUM:InternalID} +%{WINDNS_PROTOCOL:Protocol} +%{WINDNS_SNDRCV:SndRcv} +%{WINDNS_IP:IP} +%{WINDNS_XID:XID}%{WINDNS_QUERYRESP:QueryResp}%{WINDNS_OPCODE:Opcode} +\\[%{WINDNS_FLAGSHEX:FlagsHex}%{WINDNS_FLAGSCHAR:FlagsChar}%{WINDNS_RESPONSE:Response}\\]%{WINDNS_QTYPE:QType}%{WINDNS_NAME:Name}" 1541 | } 1542 | }, 1543 | "source_field": { 1544 | "@type": "string", 1545 | "@value": "message" 1546 | }, 1547 | "title": { 1548 | "@type": "string", 1549 | "@value": "WinDNS_Debug_Log" 1550 | }, 1551 | "type": { 1552 | "@type": "string", 1553 | "@value": "GROK" 1554 | }, 1555 | "cursor_strategy": { 1556 | "@type": "string", 1557 | "@value": "CUT" 1558 | }, 1559 | "condition_type": { 1560 | "@type": "string", 1561 | "@value": "REGEX" 1562 | } 1563 | } 1564 | ] 1565 | }, 1566 | "constraints": [ 1567 | { 1568 | "type": "server-version", 1569 | "version": ">=3.1.0+aa5175e" 1570 | } 1571 | ] 1572 | } 1573 | ] 1574 | } -------------------------------------------------------------------------------- /extractors_standalone.json: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "WinDNS_Name", 5 | "extractor_type": "regex_replace", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "cut", 9 | "source_field": "Name", 10 | "target_field": "Name", 11 | "extractor_config": { 12 | "regex": "\\([0-9]+\\)", 13 | "replacement": ".", 14 | "replace_all": true 15 | }, 16 | "condition_type": "regex", 17 | "condition_value": "\\([0-9]+\\)" 18 | }, 19 | { 20 | "title": "WinDNS_Debug_Log", 21 | "extractor_type": "grok", 22 | "converters": [], 23 | "order": 0, 24 | "cursor_strategy": "cut", 25 | "source_field": "message", 26 | "target_field": "", 27 | "extractor_config": { 28 | "grok_pattern": "%{WINDNS_TIME:Time} +%{WINDNS_THREADID:ThreadID} +%{WINDNS_NOTSPACE:Context} +%{WINDNS_BASE16NUM:InternalID} +%{WINDNS_PROTOCOL:Protocol} +%{WINDNS_SNDRCV:SndRcv} +%{WINDNS_IP:IP} +%{WINDNS_XID:XID}%{WINDNS_QUERYRESP:QueryResp}%{WINDNS_OPCODE:Opcode} +\\[%{WINDNS_FLAGSHEX:FlagsHex}%{WINDNS_FLAGSCHAR:FlagsChar}%{WINDNS_RESPONSE:Response}\\]%{WINDNS_QTYPE:QType}%{WINDNS_NAME:Name}" 29 | }, 30 | "condition_type": "regex", 31 | "condition_value": " PACKET\\s+[A-Z0-9]{16}\\s+UDP|TCP\\s" 32 | } 33 | ], 34 | "version": "3.1.0" 35 | } --------------------------------------------------------------------------------