more compact dns logging
The DNS logging is very verbose currently. Even on small links this can lead to many many log records. We need a less verbose format, probably enabled by default.
Updated by Giacomo Milani about 7 years ago
append: yes # supported rtypes: ["A","NS","AAAA","CNAME","SOA","MX","PTR","ANY","TKEY","TSIG"]
Log-request/log-response/only-alarmed Conf Bool should be quite easy to implement with an if statement in LogDnsLogger function.
To handle ignore-rtypes (event->types is a 16bit field) i think is better to create a bitarray to filter out ignored types, it will use 8kbyte of memory but the code will be faster and cleaner that create an if clause for each record types.
Updated by Andreas Moe about 7 years ago
While on the subject on output from Suricata, could this case be linked to Feature #1235? Output of "alerts and results" has been slowly merging to the JSON format, the possibility to process DNS logs in another applications would go alot better with JSON than todays formatting?
Updated by Peter Manev about 7 years ago
Yes, in general.
This ticket however discusses the specifics of this DNS logging (what and how much of, type of thing)- so it is a different subject.
And yes - I think that it is very beneficial for that DNS logging being discussed here on this ticket (more compact logging) to be available in JSON format.