Suricata

I think it would be nice to be able to enable/disable logging of record types, so e.g. A records, but not SOA, etc.

Also to consider -
1)
an option to log only req or responces
2)
an option to do logs only triggered by dns rules

What about:

- dns-log:
enabled: yes
filename: dns.log
append: yes # supported rtypes: ["A","NS","AAAA","CNAME","SOA","MX","PTR","ANY","TKEY","TSIG"]
ignore-rtypes: ["SOA"]
log-request: yes
log-response: yes
only-alarmed: no

Log-request/log-response/only-alarmed Conf Bool should be quite easy to implement with an if statement in LogDnsLogger function.
To handle ignore-rtypes (event->types is a 16bit field) i think is better to create a bitarray to filter out ignored types, it will use 8kbyte of memory but the code will be faster and cleaner that create an if clause for each record types.

I like very much that idea - modular and flexible.

While on the subject on output from Suricata, could this case be linked to Feature #1235? Output of "alerts and results" has been slowly merging to the JSON format, the possibility to process DNS logs in another applications would go alot better with JSON than todays formatting?

Yes, in general.
This ticket however discusses the specifics of this DNS logging (what and how much of, type of thing)- so it is a different subject.

And yes - I think that it is very beneficial for that DNS logging being discussed here on this ticket (more compact logging) to be available in JSON format.

Tom Decanio has implemented DNS output filtering by type: https://github.com/inliniac/suricata/pull/2185