Raccogliere dati DNS di Microsoft Windows

Questo documento:

• Descrive l'architettura di deployment e i passaggi di installazione, oltre a eventuali configurazioni richieste che producono log supportati da ChronicleParser per gli eventi DNS di Microsoft Windows. Per una panoramica dell'importazione dati di Chronicle, consulta Importazione dei dati in Chronicle.
• Include informazioni su come il parser mappa i campi nel log originale ai campi del modello di dati unificato di Chronicle.

Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione WINDOWS_DNS. L'etichetta di importazione identifica il parser normalizza i dati di log non elaborati nel formato UDM strutturato.

Prima di iniziare

• Esamina l'architettura di deployment consigliata.

  Il seguente diagramma illustra i componenti principali consigliati in un'architettura di deployment per raccogliere e inviare eventi DNS di Microsoft Windows a Chronicle. Confronta queste informazioni con il tuo ambiente per assicurarti che i componenti siano installati. Ogni deployment del cliente sarà diverso da questa rappresentazione e potrebbe essere più complesso. È obbligatorio specificare quanto segue:

  • Server DNS Microsoft Windows con la registrazione diagnostica DNS abilitata.
  • Tutti i sistemi configurati con il fuso orario UTC.
  • NXLog installato su server Microsoft Windows in cluster per raccogliere e inoltrare i log al server Microsoft Windows o Linux centrale.
  • Forwarder Chronicle installato sul server centrale Microsoft Windows o Linux.

  

• Esamina i dispositivi e le versioni supportati.

  Il parser Chronicle supporta i log delle seguenti versioni di Microsoft Windows Server. Microsoft Windows Server è disponibile nelle seguenti versioni: Foundation, Essentials, Standard e Datacenter. Lo schema di eventi dei log generati da ogni versione non è diverso.

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012 R2

  Il parser Chronicle supporta i log raccolti da NXLog Enterprise Edition.

• Esamina i tipi di log supportati. Il parser Chronicle supporta i seguenti tipi di log generati dai server DNS di Microsoft Windows. Per ulteriori informazioni su questi tipi di log, consulta la documentazione Logging e diagnostica DNS di Microsoft Windows. Supporta i log generati in lingua inglese e non è supportato con log generati in lingue diverse dall'inglese.

  • Audit log: per una descrizione di questo tipo di log, consulta la documentazione degli Audit log di Microsoft Windows.
  • Log di Analytics: per una descrizione di questo tipo di log, consulta la documentazione sui log di Analytics di Microsoft Windows.

• Configura i server DNS di Microsoft Windows. Per informazioni sull'installazione e sull'abilitazione della registrazione diagnostica DNS, consulta la documentazione di Microsoft Windows.

• Installare e configurare il server centrale Windows o Linux.

• Configura tutti i sistemi con il fuso orario UTC.

Configura NXLog e inoltro Chronicle

1. Installa NXLog su ogni server DNS Microsoft Windows. Segui la documentazione di NXLog.

2. Creare un file di configurazione per ogni istanza NXLog. Utilizza il modulo di input im_etw per estrarre i log analitici DNS e il modulo di input im_msvistalog per gli audit log.

   • Per ulteriori informazioni sul modulo di input im_etw, consulta la sezione Tracciamento degli eventi per Microsoft Windows (im_etw), incluse informazioni sulla configurazione di NXLog per Microsoft Windows DNS.
   • Per ulteriori informazioni sul modulo di input im_msvistalog, consulta Log eventi per Microsoft Windows 2008/Vista e versioni successive (im_msvistalog).

   Ecco un esempio di configurazione NXLog. Sostituisci i valori <hostname> e <port> con informazioni sul server Microsoft Windows o Linux centrale. Per convertire e analizzare i log in formato JSON, anziché in XML, modifica la riga Exec to_xml(); in Exec to_json();. Per ulteriori informazioni, consulta la documentazione di NXLog sul modulo om_tcp.

   define ROOT C:\Program Files\nxlog
   define WINDNS_OUTPUT_DESTINATION_ADDRESS <hostname>
   define WINDNS_OUTPUT_DESTINATION_PORT <port>
   
   Moduledir   %ROOT%\modules
   CacheDir    %ROOT%\data
   Pidfile     %ROOT%\data\nxlog.pid
   SpoolDir    %ROOT%\data
   LogFile     %ROOT%\data\nxlog.log
   
   <Extension syslog>
       Module      xm_syslog
   </Extension>
   
   # To collect XML logs, use the below NXLog module
   <Extension xml>
       Module      xm_xml
   </Extension>
   
   # To collect JSON logs, use the below NXLog module
   <Extension json>
       Module      xm_json
   </Extension>
   
   <Input eventlog>
       Module      im_etw
       Provider    Microsoft-Windows-DNSServer
   </Input>
   
   <Input auditeventlog>
       Module      im_msvistalog
       <QueryXML>
           <QueryList>
               <Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
                   <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
               </Query>
           </QueryList>
       </QueryXML>
   </Input>
   
   <Output out_chronicle_windns>
       Module      om_tcp
       Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%
       Port        %WINDNS_OUTPUT_DESTINATION_PORT%
       Exec        $EventTime = integer($EventTime) / 1000;
       Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
       Exec        to_xml(); # To collect JSON, use to_json()
   </Output>
   
   <Route analytical_windns_to_chronicle>
       Path    eventlog => out_chronicle_windns
   </Route>
   
   <Route audit_windns_to_chronicle>
       Path    auditeventlog => out_chronicle_windns
   </Route>
   

3. Installa il server di inoltro Chronicle sul server Microsoft Windows o Linux centrale. Per informazioni sull'installazione e sulla configurazione del server di inoltro, vedi gli articoli Installazione e configurazione del forwarding su Linux o Installazione e configurazione del forwarding su Microsoft Windows.

4. Configura il forwarding di Chronicle per l'invio dei log a Chronicle. Ecco un esempio di configurazione del forwarding.

     - syslog:
         common:
           enabled: true
           data_type: WINDOWS_DNS
           batch_n_seconds: 10
           batch_n_bytes: 1048576
         tcp_address: 0.0.0.0:10518
         connection_timeout_sec: 60
   

Riferimento per la mappatura dei campi: campi del log dispositivo ai campi UDM

Questa sezione descrive in che modo il parser mappa i campi dei log del dispositivo originali ai campi UDM (Unified Data Model).

Campi comuni

Campo NXLog	Campo UDM	Commenta
SourceName	metadata.vendor_name = "Microsoft" metadata.product_name = "Windows DNS Server"
EventID	security_result.rule_name	Stored as "EventID: %{EventID}". In events with Error and Warning level, the field is_alert is set to true.
Severity	security_result.severity	The values are mapped to the UDM field enum as follows: 0 (None) - UNKNOWN_SEVERITY 1 (Critical) - INFORMATIONAL 2 (Error) - ERROR 3 (Warning) - ERROR 4 (Informational) - INFORMATIONAL 5 (Verbose) - INFORMATIONAL
EventTime	metadata.event_timestamp
ExecutionProcessID	principal.process.pid / target.process.pid	Value stored in target.process.pid for the following Event IDs 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.process.pid for all other Event IDs.
Channel	metadata.product_event_type
Hostname	principal.hostname / target.hostname	Value stored in target.hostname for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.hostname from all other Event IDs.
UserID	principal.user.windows_sid / target.user.windows_sid	Stored in target.user.windows_sid for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272,273, 275, 278, 279, 280. Stored in principal.user.windows_sid for all other Event IDs

Log di analisi

Campo log originale	Campo UDM	Commenta
AA	network.dns.authoritative
Destination	target.ip / principal.ip	Populated in either principal and target.
InterfaceIP	target.ip / principal.ip	Stores DNS Server's IP address in target.ip for following Event IDs, 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Stored in principal.ip for all other Event IDs (DNS response).
PacketData	network.dns.answers.binary_data
Port	target.port / principal.port
QNAME	network.dns.questions.name, target.hostname	Do not store QNAME in target.hostname for following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, and 280
QTYPE	network.dns.questions.type
RCODE	network.dns.response_code
RD	network.dns.recursion_desired
Reason	security_result.summary
Source	principal.ip / target.ip	Source IPv4/IPv6 address of the machine that initiated the DNS request. Stored in target.ip for Event ID 274. Stored in target.ip for Event ID 265 and 269. InterfaceIP contains the secondary server's IP address (principal) and Source (target) is the primary server's IP address.
TCP	network.ip_protocol
XID	network.dns.id

Audit log

Campo log originale	Campo UDM	Nota
Name	target.resource.name	Value is collected from events with Event ID 512.
Policy	target.resource.name	Value is collected from events with Event ID 577, 578, 579, 580, 581, and 582, which are mapped to the SETTING_* event types.
QNAME	network.dns.questions.name, target.hostname
QTYPE	network.dns.questions.type
RecursionScope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Scope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Setting	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Source	principal.ip
Zone	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
ZoneScope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.

Log im_file SourceModuleType

Campo log originale	Campo UDM	Nota
EventReceivedTime	metadata.event_timestamp
Expire	about.labels
InternalPacketIdentifier	about.labels
	about.labels	Grok: Extracted the internal_packet_identifier field from the raw log and then mapped the internal_packet_identifier field to the about.labels UDM field.
packet_identifier	about.labels
LogInfo	metadata.description
PortNum	principal.port
Queued	about.labels
Socket	principal.labels
TimeQuery	about.labels
BufLen	about.labels
Opcode	network.dns.opcode	If the Opcode log field value is equal to Q, then the network.dns.opcode UDM field is set to 0. Else, if the Opcode log field value is equal to I, then the network.dns.opcode UDM field is set to 1. Else, if the Opcode log field value is equal to S, then the network.dns.opcode UDM field is set to 2. Else, if the Opcode log field value is equal to N, then the network.dns.opcode UDM field is set to 4. Else, if the Opcode log field value is equal to U, then the network.dns.opcode UDM field is set to 5.
opcode	network.dns.opcode	Grok: Extracted the opcode field from the raw log. If the opcode field value is equal to Q, then the network.dns.opcode UDM field is set to 0. Else, if the opcode field value is equal to I, then the network.dns.opcode UDM field is set to 1. Else, if the opcode field value is equal to S, then the network.dns.opcode UDM field is set to 2. Else, if the opcode field value is equal to N, then the network.dns.opcode UDM field is set to 4. Else, if the opcode field value is equal to U, then the network.dns.opcode UDM field is set to 5.
Protocol	network.ip_protocol	If the Protocol log field value is equal to 1 or ICMP, then the network.ip_protocol UDM field is set to ICMP. Else, if the Protocol log field value is equal to 2 or IGMP, then the network.ip_protocol UDM field is set to IGMP. Else, if the Protocol log field value is equal to 6 or TCP, then the network.ip_protocol UDM field is set to TCP. Else, if the Protocol log field value is equal to 17 or UDP, then the network.ip_protocol UDM field is set to UDP. Else, if the Protocol log field value is equal to 41 or IP6IN4, then the network.ip_protocol UDM field is set to IP6IN4. Else, if the Protocol log field value is equal to 47 or GRE, then the network.ip_protocol UDM field is set to GRE. Else, if the Protocol log field value is equal to 50 or ESP, then the network.ip_protocol UDM field is set to ESP. Else, if the Protocol log field value is equal to 88 or EIGRP, then the network.ip_protocol UDM field is set to EIGRP. Else, if the Protocol log field value is equal to 97 or ETHERIP, then the network.ip_protocol UDM field is set to ETHERIP. Else, if the Protocol log field value is equal to 103 or PIM, then the network.ip_protocol UDM field is set to PIM. Else, if the Protocol log field value is equal to 112 or VRRP, then the network.ip_protocol UDM field is set to VRRP.
	network.ip_protocol	Grok: Extracted the ip_protocol field from the raw log. If the ip_protocol field value is equal to 1 or ICMP, then the network.ip_protocol UDM field is set to ICMP. Else, if the ip_protocol field value is equal to 2 or IGMP, then the network.ip_protocol UDM field is set to IGMP. Else, if the ip_protocol field value is equal to 6 or TCP, then the network.ip_protocol UDM field is set to TCP. Else, if the ip_protocol field value is equal to 17 or UDP, then the network.ip_protocol UDM field is set to UDP. Else, if the ip_protocol field value is equal to 41 or IP6IN4, then the network.ip_protocol UDM field is set to IP6IN4. Else, if the ip_protocol field value is equal to 47 or GRE, then the network.ip_protocol UDM field is set to GRE. Else, if the ip_protocol field value is equal to 50 or ESP, then the network.ip_protocol UDM field is set to ESP. Else, if the ip_protocol field value is equal to 88 or EIGRP, then the network.ip_protocol UDM field is set to EIGRP. Else, if the ip_protocol field value is equal to 97 or ETHERIP, then the network.ip_protocol UDM field is set to ETHERIP. Else, if the ip_protocol field value is equal to 103 or PIM, then the network.ip_protocol UDM field is set to PIM. Else, if the ip_protocol field value is equal to 112 or VRRP, then the network.ip_protocol UDM field is set to VRRP.
	network.dns.response_code	Grok: Extracted the dns_response_code field from the raw log. If the dns_response_code field value is equal to NOERROR, then the network.dns.response_code UDM field is set to 0. Else, if the dns_response_code field value is equal to FORMERR, then the network.dns.response_code UDM field is set to 1. Else, if the dns_response_code field value is equal to SERVFAIL, then the network.dns.response_code UDM field is set to 2. Else, if the dns_response_code field value is equal to NXDOMAIN, then the network.dns.response_code UDM field is set to 3. Else, if the dns_response_code field value is equal to NOTIMP, then the network.dns.response_code UDM field is set to 4. Else, if the dns_response_code field value is equal to REFUSED, then the network.dns.response_code UDM field is set to 5. Else, if the dns_response_code field value is equal to YXDOMAIN, then the network.dns.response_code UDM field is set to 6. Else, if the dns_response_code field value is equal to YXRRSET, then the network.dns.response_code UDM field is set to 7. Else, if the dns_response_code field value is equal to NXRRSET, then the network.dns.response_code UDM field is set to 8. Else, if the dns_response_code field value is equal to NOTAUTH, then the network.dns.response_code UDM field is set to 9. Else, if the dns_response_code field value is equal to NOTZONE, then the network.dns.response_code UDM field is set to 10. Else, if the dns_response_code field value is equal to DSOTYPENI, then the network.dns.response_code UDM field is set to 11. Else, if the dns_response_code field value is equal to BADVERS, then the network.dns.response_code UDM field is set to 16. Else, if the dns_response_code field value is equal to BADSIG, then the network.dns.response_code UDM field is set to 16. Else, if the dns_response_code field value is equal to BADKEY, then the network.dns.response_code UDM field is set to 17. Else, if the dns_response_code field value is equal to BADTIME, then the network.dns.response_code UDM field is set to 18. Else, if the dns_response_code field value is equal to BADMODE, then the network.dns.response_code UDM field is set to 19. Else, if the dns_response_code field value is equal to BADNAME, then the network.dns.response_code UDM field is set to 20. Else, if the dns_response_code field value is equal to BADALG, then the network.dns.response_code UDM field is set to 21. Else, if the dns_response_code field value is equal to BADTRUNC, then the network.dns.response_code UDM field is set to 22. Else, if the dns_response_code field value is equal to BADCOOKIE, then the network.dns.response_code UDM field is set to 23.
	network.dns.authoritative	Grok: Extracted the authoritative field from the raw log. If the authoritative field value is equal to A, then the network.dns.authoritative UDM field is set to true.
	network.dns.truncated	Grok: Extracted the truncated field from the raw log. If the truncated field value is equal to T, then the network.dns.truncated UDM field is set to true.
	network.dns.recursion_desired	Grok: Extracted the recursion_desired field from the raw log. If the recursion_desired field value is equal to D, then the network.dns.recursion_desired UDM field is set to true.
	network.dns.recursion_available	Grok: Extracted the recursion_available field from the raw log. If the recursion_available field value is equal to R, then the network.dns.recursion_available UDM field is set to true.
QueryType	network.dns.response	If the QueryType log field value is equal to R, then the network.dns.response UDM field is set to true. Else, the network.dns.response UDM field is set to false.
req_or_resp	network.dns.response	Grok: Extracted the req_or_resp field from the raw log. If the req_or_resp field value is equal to R, then the network.dns.response UDM field is set to true. Else, the network.dns.response UDM field is set to false.
QuestionName	network.dns.questions.name, target.hostname
domain	network.dns.questions.name, target.hostname	Grok: Extracted the domain field from the raw log and then mapped the domain field to the network.dns.questions.name and target.hostname UDM field.
QuestionType	network.dns.questions.type	If the QuestionType field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the QuestionType field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the QuestionType field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the QuestionType field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the QuestionType field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the QuestionType field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the QuestionType field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the QuestionType field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the QuestionType field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the QuestionType field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the QuestionType field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the QuestionType field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the QuestionType field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the QuestionType field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the QuestionType field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the QuestionType field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the QuestionType field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the QuestionType field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the QuestionType field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the QuestionType field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the QuestionType field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the QuestionType field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the QuestionType field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the QuestionType field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the QuestionType field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the QuestionType field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the QuestionType field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the QuestionType field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the QuestionType field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the QuestionType field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the QuestionType field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the QuestionType field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the QuestionType field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the QuestionType field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the QuestionType field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the QuestionType field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the QuestionType field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the QuestionType field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the QuestionType field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the QuestionType field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the QuestionType field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the QuestionType field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the QuestionType field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the QuestionType field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the QuestionType field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the QuestionType field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the QuestionType field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the QuestionType field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the QuestionType field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the QuestionType field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the QuestionType field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the QuestionType field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the QuestionType field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the QuestionType field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the QuestionType field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the QuestionType field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the QuestionType field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the QuestionType field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the QuestionType field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the QuestionType field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the QuestionType field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the QuestionType field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the QuestionType field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the QuestionType field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the QuestionType field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the QuestionType field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the QuestionType field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the QuestionType field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the QuestionType field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the QuestionType field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the QuestionType field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the QuestionType field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the QuestionType field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the QuestionType field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the QuestionType field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the QuestionType field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the QuestionType field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the QuestionType field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the QuestionType field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the QuestionType field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the QuestionType field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the QuestionType field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the QuestionType field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the QuestionType field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the QuestionType field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the QuestionType field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the QuestionType field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the QuestionType field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the QuestionType field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the QuestionType field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
	network.dns.questions.type	Grok: Extracted the dns_record_type field from the raw log. If the dns_record_type field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the dns_record_type field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the dns_record_type field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the dns_record_type field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the dns_record_type field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the dns_record_type field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the dns_record_type field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the dns_record_type field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the dns_record_type field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the dns_record_type field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the dns_record_type field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the dns_record_type field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the dns_record_type field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the dns_record_type field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the dns_record_type field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the dns_record_type field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the dns_record_type field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the dns_record_type field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the dns_record_type field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the dns_record_type field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the dns_record_type field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the dns_record_type field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the dns_record_type field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the dns_record_type field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the dns_record_type field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the dns_record_type field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the dns_record_type field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the dns_record_type field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the dns_record_type field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the dns_record_type field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the dns_record_type field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the dns_record_type field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the dns_record_type field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the dns_record_type field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the dns_record_type field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the dns_record_type field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the dns_record_type field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the dns_record_type field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the dns_record_type field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the dns_record_type field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the dns_record_type field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the dns_record_type field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the dns_record_type field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the dns_record_type field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the dns_record_type field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the dns_record_type field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the dns_record_type field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the dns_record_type field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the dns_record_type field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the dns_record_type field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the dns_record_type field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the dns_record_type field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the dns_record_type field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the dns_record_type field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the dns_record_type field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the dns_record_type field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the dns_record_type field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the dns_record_type field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the dns_record_type field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the dns_record_type field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the dns_record_type field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the dns_record_type field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the dns_record_type field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the dns_record_type field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the dns_record_type field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the dns_record_type field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the dns_record_type field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the dns_record_type field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the dns_record_type field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the dns_record_type field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the dns_record_type field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the dns_record_type field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the dns_record_type field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the dns_record_type field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the dns_record_type field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the dns_record_type field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the dns_record_type field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the dns_record_type field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the dns_record_type field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the dns_record_type field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the dns_record_type field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the dns_record_type field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the dns_record_type field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the dns_record_type field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the dns_record_type field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the dns_record_type field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the dns_record_type field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the dns_record_type field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the dns_record_type field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the dns_record_type field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
dns_record_name	network.dns.questions.type	If the dns_record_name field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the dns_record_name field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the dns_record_name field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the dns_record_name field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the dns_record_name field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the dns_record_name field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the dns_record_name field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the dns_record_name field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the dns_record_name field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the dns_record_name field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the dns_record_name field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the dns_record_name field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the dns_record_name field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the dns_record_name field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the dns_record_name field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the dns_record_name field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the dns_record_name field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the dns_record_name field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the dns_record_name field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the dns_record_name field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the dns_record_name field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the dns_record_name field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the dns_record_name field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the dns_record_name field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the dns_record_name field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the dns_record_name field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the dns_record_name field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the dns_record_name field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the dns_record_name field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the dns_record_name field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the dns_record_name field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the dns_record_name field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the dns_record_name field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the dns_record_name field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the dns_record_name field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the dns_record_name field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the dns_record_name field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the dns_record_name field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the dns_record_name field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the dns_record_name field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the dns_record_name field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the dns_record_name field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the dns_record_name field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the dns_record_name field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the dns_record_name field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the dns_record_name field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the dns_record_name field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the dns_record_name field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the dns_record_name field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the dns_record_name field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the dns_record_name field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the dns_record_name field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the dns_record_name field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the dns_record_name field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the dns_record_name field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the dns_record_name field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the dns_record_name field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the dns_record_name field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the dns_record_name field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the dns_record_name field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the dns_record_name field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the dns_record_name field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the dns_record_name field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the dns_record_name field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the dns_record_name field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the dns_record_name field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the dns_record_name field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the dns_record_name field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the dns_record_name field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the dns_record_name field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the dns_record_name field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the dns_record_name field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the dns_record_name field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the dns_record_name field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the dns_record_name field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the dns_record_name field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the dns_record_name field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the dns_record_name field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the dns_record_name field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the dns_record_name field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the dns_record_name field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the dns_record_name field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the dns_record_name field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the dns_record_name field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the dns_record_name field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the dns_record_name field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the dns_record_name field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the dns_record_name field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the dns_record_name field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the dns_record_name field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
RemoteIP	principal.ip	If the value of the RemoteIP field matches the regular expression ip, then the principal.ip UDM field is mapped to RemoteIP. Else, principal.hostname UDM field is mapped to RemoteIP
	principal.ip	Grok: Extracted the client field from the raw log. If the value of the client field matches the regular expression ip, then the principal.ip UDM field is mapped to client. Else, principal.hostname UDM field is mapped to client.
	principal.hostname	Grok: Extracted the syslog_host field from the raw log. If the value of the client field matches the regular expression ip, then the principal.hostname UDM field is mapped to the syslog_host.
SendReceiveIndicator	network.direction	If the SendReceiveIndicator log field value is equal to Snd, then the network.direction UDM field is set to OUTBOUND. Else, if the SendReceiveIndicator log field value is equal to Rcv, then the network.direction UDM field is set to INBOUND.
send_receive_indicator	network.direction	Grok: Extracted the send_receive_indicator field from the raw log. If the send_receive_indicator field value is equal to Snd, then the network.direction UDM field is set to OUTBOUND. Else, if the send_receive_indicator field value is equal to Rcv, then the network.direction UDM field is set to INBOUND.
Xid	network.dns.id
xid	network.dns.id	Grok: Extracted the xid field from the raw log and then mapped the xid field to the network.dns.id UDM field.
	network.dns.answers.data	Grok: Extracted the DATA field from the raw log and then mapped the DATA field to the network.dns.answers.data UDM field.
	network.dns.answers.type	Grok: Extracted the TYPE field from the raw log and then mapped the TYPE field to the network.dns.answers.type UDM field.
	network.dns.answers.name	Grok: Extracted the Name field from the raw log and then mapped the Name field to the network.dns.answers.name UDM field.
	network.dns.answers.ttl	Grok: Extracted the TTL field from the raw log and then mapped the TTL field to the network.dns.answers.ttl UDM field.
	network.dns.answers.class	Grok: Extracted the CLASS field from the raw log and then mapped the CLASS field to the network.dns.answers.class UDM field.

Log di debug legacy

Campo log originale	Campo UDM	Nota
BufLen	about.labels.key/value	Grok: Extracted the BufLen field from the raw log and then mapped the BufLen field to the about.labels UDM field.
client	principal.ip	Grok: Extracted the client field from the raw log. If the value of the client field matches the regular expression ip, then the principal.ip UDM field is mapped to client. Else, principal.hostname UDM field is mapped to client.
domain	network.dns.questions.name target.hostname target.asset.hostname	Grok: Extracted the domain field from the raw log and then mapped the domain field to the network.dns.questions.name, target.hostname and target.asset.hostname UDM field.
Expire	about.labels.key/value	Grok: Extracted the Expire field from the raw log and then mapped the Expire field to the about.labels UDM field.
internal_packet_identifier	about.labels.key/value	Grok: Extracted the internal_packet_identifier field from the raw log and then mapped the internal_packet_identifier field to the about.labels UDM field.
ip_protocol	network.ip_protocol	Grok: Extracted the ip_protocol field from the raw log. If the ip_protocol field value is equal to 1 or ICMP, then the network.ip_protocol UDM field is set to ICMP. Else, if the ip_protocol field value is equal to 2 or IGMP, then the network.ip_protocol UDM field is set to IGMP. Else, if the ip_protocol field value is equal to 6 or TCP, then the network.ip_protocol UDM field is set to TCP. Else, if the ip_protocol field value is equal to 17 or UDP, then the network.ip_protocol UDM field is set to UDP. Else, if the ip_protocol field value is equal to 41 or IP6IN4, then the network.ip_protocol UDM field is set to IP6IN4. Else, if the ip_protocol field value is equal to 47 or GRE, then the network.ip_protocol UDM field is set to GRE. Else, if the ip_protocol field value is equal to 50 or ESP, then the network.ip_protocol UDM field is set to ESP. Else, if the ip_protocol field value is equal to 88 or EIGRP, then the network.ip_protocol UDM field is set to EIGRP. Else, if the ip_protocol field value is equal to 97 or ETHERIP, then the network.ip_protocol UDM field is set to ETHERIP. Else, if the ip_protocol field value is equal to 103 or PIM, then the network.ip_protocol UDM field is set to PIM. Else, if the ip_protocol field value is equal to 112 or VRRP, then the network.ip_protocol UDM field is set to VRRP.
LogInfo	metadata.description	Grok: Extracted the LogInfo field from the raw log and then mapped the LogInfo field to the metadata.description UDM field.
opcode	network.dns.opcode	Grok: Extracted the opcode field from the raw log. If the opcode field value is equal to Q, then the network.dns.opcode UDM field is set to 0. Else, if the opcode field value is equal to I, then the network.dns.opcode UDM field is set to 1. Else, if the opcode field value is equal to S, then the network.dns.opcode UDM field is set to 2. Else, if the opcode field value is equal to N, then the network.dns.opcode UDM field is set to 4. Else, if the opcode field value is equal to U, then the network.dns.opcode UDM field is set to 5.
PortNum	principal.port	Grok: Extracted the PortNum field from the raw log and then mapped the PortNum field to the principal.port UDM field.
Queued	about.labels.key/value	Grok: Extracted the Queued field from the raw log and then mapped the Queued field to the about.labels UDM field.
req_or_resp	network.dns.response	Grok: Extracted req_or_resp from the raw log, If the req_or_resp field value is equal to R, then the network.dns.response UDM field is set to true. Else, the network.dns.response UDM field is set to false
send_receive_indicator	network.direction	Grok: Extracted the send_receive_indicator field from the raw log. If the send_receive_indicator field value is equal to Snd, then the network.direction UDM field is set to OUTBOUND. Else, if the send_receive_indicator field value is equal to Rcv, then the network.direction UDM field is set to INBOUND.
Socket	principal.labels.key/value	Grok: Extracted the Socket field from the raw log and then mapped the Socket field to the principal.labels UDM field.
TimeQuery	about.labels.key/value	Grok: Extracted the TimeQuery field from the raw log and then mapped the TimeQuery field to the about.labels UDM field.
xid	network.dns.id	Grok: Extracted the xid field from the raw log and then mapped the xid field to the network.dns.id UDM field.
dns_record_type	additional.fields.key/value.string_value network.dns.questions.type	Grok: Extracted the dns_record_type field from the raw log. If the dns_record_type field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the dns_record_type field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the dns_record_type field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the dns_record_type field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the dns_record_type field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the dns_record_type field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the dns_record_type field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the dns_record_type field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the dns_record_type field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the dns_record_type field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the dns_record_type field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the dns_record_type field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the dns_record_type field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the dns_record_type field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the dns_record_type field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the dns_record_type field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the dns_record_type field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the dns_record_type field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the dns_record_type field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the dns_record_type field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the dns_record_type field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the dns_record_type field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the dns_record_type field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the dns_record_type field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the dns_record_type field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the dns_record_type field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the dns_record_type field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the dns_record_type field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the dns_record_type field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the dns_record_type field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the dns_record_type field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the dns_record_type field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the dns_record_type field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the dns_record_type field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the dns_record_type field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the dns_record_type field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the dns_record_type field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the dns_record_type field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the dns_record_type field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the dns_record_type field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the dns_record_type field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the dns_record_type field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the dns_record_type field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the dns_record_type field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the dns_record_type field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the dns_record_type field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the dns_record_type field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the dns_record_type field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the dns_record_type field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the dns_record_type field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the dns_record_type field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the dns_record_type field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the dns_record_type field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the dns_record_type field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the dns_record_type field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the dns_record_type field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the dns_record_type field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the dns_record_type field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the dns_record_type field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the dns_record_type field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the dns_record_type field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the dns_record_type field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the dns_record_type field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the dns_record_type field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the dns_record_type field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the dns_record_type field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the dns_record_type field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the dns_record_type field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the dns_record_type field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the dns_record_type field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the dns_record_type field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the dns_record_type field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the dns_record_type field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the dns_record_type field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the dns_record_type field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the dns_record_type field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the dns_record_type field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the dns_record_type field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the dns_record_type field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the dns_record_type field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the dns_record_type field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the dns_record_type field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the dns_record_type field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the dns_record_type field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the dns_record_type field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the dns_record_type field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the dns_record_type field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the dns_record_type field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the dns_record_type field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the dns_record_type field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
CLASS	network.dns.additional.class	PREREQUISITE SECTION CLASS
DATA	network.dns.additional.data	PREREQUISITE SECTION DATA
Name	network.dns.additional.name	PREREQUISITE SECTION Name
TTL	network.dns.additional.ttl	PREREQUISITE SECTION TTL
TYPE	network.dns.additional.type	PREREQUISITE SECTION TYPE
Flags	additional.fields.key/value.string_value	Grok: Extracted the Flags field from the raw log and then mapped the Flags field to the additional.fields.key/value.string_value UDM field.
CLASS	network.dns.additional.class	UPDATE SECTION CLASS
DATA	network.dns.additional.data	UPDATE SECTION DATA
Name	network.dns.additional.name	UPDATE SECTION Name
TTL	network.dns.additional.ttl	UPDATE SECTION TTL
TYPE	network.dns.additional.type	UPDATE SECTION TYPE
ZCLASS	network.dns.additional.class	ZONE SECTION ZCLASS
Name	network.dns.additional.name	ZONE SECTION Name
ZTYPE	network.dns.additional.type	ZONE SECTION ZTYPE
QR	additional.fields.key/value.string_value
OPCODE	additional.fields.key/value.string_value
AA	additional.fields.key/value.string_value
TC	additional.fields.key/value.string_value
RD	additional.fields.key/value.string_value
RA	additional.fields.key/value.string_value
Z	additional.fields.key/value.string_value
CD	additional.fields.key/value.string_value
AD	additional.fields.key/value.string_value
RCODE	additional.fields.key/value.string_value
ZCOUNT	additional.fields.key/value.string_value
PRECOUNT	additional.fields.key/value.string_value
ARCOUNT	additional.fields.key/value.string_value
UPCOUNT	additional.fields.key/value.string_value
QCOUNT	additional.fields.key/value.string_value
ACOUNT	additional.fields.key/value.string_value
NSCOUNT	additional.fields.key/value.string_value

Altri log

Campo log originale	Campo UDM	Nota
	network.dns.questions.name, target.hostname	Grok: Extracted the record_name field from the raw log and then mapped the record_name field to the network.dns.questions.name and target.hostname UDM field.
	network.dns.questions.type	Grok: Extracted the record_type field from the raw log. If the record_type field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the record_type field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the record_type field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the record_type field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the record_type field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the record_type field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the record_type field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the record_type field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the record_type field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the record_type field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the record_type field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the record_type field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the record_type field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the record_type field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the record_type field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the record_type field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the record_type field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the record_type field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the record_type field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the record_type field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the record_type field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the record_type field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the record_type field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the record_type field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the record_type field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the record_type field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the record_type field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the record_type field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the record_type field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the record_type field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the record_type field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the record_type field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the record_type field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the record_type field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the record_type field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the record_type field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the record_type field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the record_type field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the record_type field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the record_type field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the record_type field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the record_type field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the record_type field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the record_type field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the record_type field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the record_type field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the record_type field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the record_type field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the record_type field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the record_type field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the record_type field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the record_type field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the record_type field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the record_type field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the record_type field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the record_type field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the record_type field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the record_type field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the record_type field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the record_type field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the record_type field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the record_type field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the record_type field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the record_type field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the record_type field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the record_type field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the record_type field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the record_type field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the record_type field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the record_type field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the record_type field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the record_type field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the record_type field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the record_type field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the record_type field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the record_type field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the record_type field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the record_type field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the record_type field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the record_type field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the record_type field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the record_type field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the record_type field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the record_type field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the record_type field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the record_type field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the record_type field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the record_type field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the record_type field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the record_type field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
client	principal.ip	Grok: Extracted the client field from the raw log. If the value of the client field matches the regular expression ip, then the principal.ip UDM field is mapped to client. Else, principal.hostname UDM field is mapped to client.
	principal.hostname	Grok: Extracted the syslog_host field from the raw log. If the value of the client field matches the regular expression ip, then the principal.hostname UDM field is mapped to the syslog_host.
	network.dns.questions.class	Grok: Extracted the qclass field from the raw log. If the qclass field value is equal to IN, then network.dns.questions.class is set to 1. Else, if the qclass field value is equal to CH, then network.dns.questions.class is set to 3. Else, if the qclass field value is equal to HS, then network.dns.questions.class is set to 4.

Riferimento per la mappatura dei campi: da ID evento al tipo di evento UDM

Questa sezione descrive in che modo il parser mappa gli ID evento agli event_types UDM. In generale, gli eventi sono mappati al file metadata.event_type NETWORK_DNS, ad eccezione degli ID evento nella sezione seguente.