SPL
Extract DNS Queries from netscaler syslog
Description
To extract the DNS logging from netscaler:syslog you need the following regex:
^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:
]*:){3}(?P<source_ip>[^#]+)(?:[^/
]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)
You can now put it in the query and get an overview of all DNS queries.
5 1
index=network_netscaler sourcetype="citrix:netscaler:syslog" DNS | regex "^\s+(?P<date>[^:]+):(?P<time>[^ ]+)(?:[^:
]*:){3}(?P<source_ip>[^#]+)(?:[^/
]*/){8}\d+#(?P<dns>(?#)[_a-zA-Z0-9.-]+)(\.\/)" | table time, date, source_ip, dns
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.