Feature #1198
closedmore compact dns logging
Added by Victor Julien over 10 years ago. Updated over 6 years ago.
Description
The DNS logging is very verbose currently. Even on small links this can lead to many many log records. We need a less verbose format, probably enabled by default.
Updated by Victor Julien over 10 years ago
- Subject changed from more conpact dns logging to more compact dns logging
Updated by Victor Julien over 10 years ago
I think it would be nice to be able to enable/disable logging of record types, so e.g. A records, but not SOA, etc.
Updated by Peter Manev over 10 years ago
Also to consider -
1)
an option to log only req or responces
2)
an option to do logs only triggered by dns rules
Updated by Giacomo Milani over 10 years ago
What about:
- dns-log:
enabled: yes
filename: dns.log
append: yes
# supported rtypes: ["A","NS","AAAA","CNAME","SOA","MX","PTR","ANY","TKEY","TSIG"]
ignore-rtypes: ["SOA"]
log-request: yes
log-response: yes
only-alarmed: no
Log-request/log-response/only-alarmed Conf Bool should be quite easy to implement with an if statement in LogDnsLogger function.
To handle ignore-rtypes (event->types is a 16bit field) i think is better to create a bitarray to filter out ignored types, it will use 8kbyte of memory but the code will be faster and cleaner that create an if clause for each record types.
Updated by Peter Manev over 10 years ago
I like very much that idea - modular and flexible.
Updated by Andreas Moe over 10 years ago
While on the subject on output from Suricata, could this case be linked to Feature #1235? Output of "alerts and results" has been slowly merging to the JSON format, the possibility to process DNS logs in another applications would go alot better with JSON than todays formatting?
Updated by Peter Manev over 10 years ago
Yes, in general.
This ticket however discusses the specifics of this DNS logging (what and how much of, type of thing)- so it is a different subject.
And yes - I think that it is very beneficial for that DNS logging being discussed here on this ticket (more compact logging) to be available in JSON format.
Updated by Andreas Herz almost 9 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien about 8 years ago
Tom Decanio has implemented DNS output filtering by type: https://github.com/inliniac/suricata/pull/2185
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Giuseppe Longo
- Target version changed from TBD to 70
Updated by Jason Ish over 6 years ago
- Related to Feature #2086: DNS answer for a NS containing multiple name servers should only be one line added
Updated by Jason Ish over 6 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 4.1beta1
See #2199.