Extract DNS Queries from netscaler syslog

To extract the DNS logging from netscaler:syslog you need the following regex:

^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:\n]*:){3}(?P<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)

You can now put it in the query and get an overview of all DNS queries.

 index=network_netscaler sourcetype="citrix:netscaler:syslog" DNS | regex "^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:\n]*:){3}(?P<source_ip>[^#]+)(?:[^/\n]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)" | table time, date, source_ip, dns

 

Share This:
Tagged:

Leave A Comment?