[Oisf-users] practical use of dns log

Peter Manev petermanev at gmail.com
Wed Nov 27 08:52:22 UTC 2013

On Tue, Nov 26, 2013 at 10:53 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> You might want to look into the logstash and kibana projects.  Logstash
> can be used with a program called 'grok' to insert arbitrary data into
> an elasticsearch database.
> You can also capture/index DNS traffic off of the wire via the 'moloch'
> project.  See: https://github.com/aol/moloch
> - -Coop
> On 11/26/2013 12:49 AM, Christophe Vandeplas wrote:
>> Hi list,
>> In the past I've been using another tool to do DNS logging, and now
>> I'd like to use Suricata for this. The format of the file is
>> completely different, and also a part of the interpretation (Suricata
>> is a LOT more verbose and complete)
>> DNS logging of Suricata is mulitiple lines per DNS request (and
>> response). So searching for things require multiple greps and
>> filtering out duplicate ids.
>> I'm wondering how others use this DNS logging.
>> All stories (on or off-list) and practical use-cases are welcome.
>> I'll do my best to document these on the wiki so that others can
>> benefit from this info.
>> As far as I understand there seem to be plans to transform the logging
>> into json, is there already an idea about when that's to be expected?

Some general info and "how to" guides here:

and here:

All JSON output capability is planned for 2.0:
http,dns,alert,tls alongside with files-json.

Currently I am writing an article/tutorial on how to use the all json
output with Kibana,Elasticsearch and Logstash.


Peter Manev

More information about the Oisf-users mailing list