Project

General

Profile

Actions

Feature #1198

closed

more compact dns logging

Added by Victor Julien over 7 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

The DNS logging is very verbose currently. Even on small links this can lead to many many log records. We need a less verbose format, probably enabled by default.


Related issues

Related to Feature #2086: DNS answer for a NS containing multiple name servers should only be one lineClosedGiuseppe LongoActions
Actions #1

Updated by Victor Julien over 7 years ago

  • Subject changed from more conpact dns logging to more compact dns logging
Actions #2

Updated by Victor Julien over 7 years ago

I think it would be nice to be able to enable/disable logging of record types, so e.g. A records, but not SOA, etc.

Actions #3

Updated by Peter Manev over 7 years ago

Also to consider -
1)
an option to log only req or responces
2)
an option to do logs only triggered by dns rules

Actions #4

Updated by Giacomo Milani about 7 years ago

What about:

- dns-log:
enabled: yes
filename: dns.log
append: yes # supported rtypes: ["A","NS","AAAA","CNAME","SOA","MX","PTR","ANY","TKEY","TSIG"]
ignore-rtypes: ["SOA"]
log-request: yes
log-response: yes
only-alarmed: no

Log-request/log-response/only-alarmed Conf Bool should be quite easy to implement with an if statement in LogDnsLogger function.
To handle ignore-rtypes (event->types is a 16bit field) i think is better to create a bitarray to filter out ignored types, it will use 8kbyte of memory but the code will be faster and cleaner that create an if clause for each record types.

Actions #5

Updated by Peter Manev about 7 years ago

I like very much that idea - modular and flexible.

Actions #6

Updated by Andreas Moe about 7 years ago

While on the subject on output from Suricata, could this case be linked to Feature #1235? Output of "alerts and results" has been slowly merging to the JSON format, the possibility to process DNS logs in another applications would go alot better with JSON than todays formatting?

Actions #7

Updated by Peter Manev about 7 years ago

Yes, in general.
This ticket however discusses the specifics of this DNS logging (what and how much of, type of thing)- so it is a different subject.

And yes - I think that it is very beneficial for that DNS logging being discussed here on this ticket (more compact logging) to be available in JSON format.

Actions #8

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #9

Updated by Victor Julien about 5 years ago

Tom Decanio has implemented DNS output filtering by type: https://github.com/inliniac/suricata/pull/2185

Actions #10

Updated by Victor Julien almost 4 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Giuseppe Longo
  • Target version changed from TBD to 70
Actions #11

Updated by Jason Ish about 3 years ago

  • Related to Feature #2086: DNS answer for a NS containing multiple name servers should only be one line added
Actions #12

Updated by Jason Ish about 3 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 4.1beta1

See #2199.

Actions

Also available in: Atom PDF