Good find. Out of curiosity, what version of bind are you using? What platform?
A simpler change would be to make the named_from look like: <decoder name="named_from"> <parent>named</parent> <regex offset="after_parent"> from [(\d+.\d+.\d+.\d+)]|from (\S+)#</regex> <order>srcip</order> </decoder> But this doesn't grab the domain. On Wed, Aug 31, 2011 at 10:34 AM, Blauch Armand <[email protected]> wrote: > Hello, > > I added a new decoder for named because one of my transfert zone log > doesn't extract ip address. And I need ip address for a rule. > > I think decoder called "named_client" match with this kind of log: > Aug 31 10:22:14 testsrv named[7582]: client 192.168.10.2#36877: > transfer of '18.192.in-test.com/IN': AXFR started > > But I have an other kind of log like this: > Aug 31 15:45:02 testsrv named[7582]: transfer of 'domain.test.com/IN' > from 192.168.10.2#53: Transfer completed: 6 messages, 6 records, 10 > bytes, 0.17 secs (75 bytes/sec) > > So I added this decoder: > <decoder name="named_transfer"> > <parent>named</parent> > <prematch>^transfer </prematch> > <regex offset="after_prematch">^of (\S+) from (\d+.\d+.\d+.\d+)#</ > regex> > <order>id, srcip</order> > </decoder> > > Maybe some of you are interested on this decoder or by the log line? > > AB >
