Hello, Thanks for the modification in the "named_from" decoder, I just tried it, and it works fine. I think I'll use this one (I'm not sur to need to grab the domain). The bind version on my test lab is the 9.5.0.
AB On 31 août, 22:42, "dan (ddp)" <[email protected]> wrote: > Good find. Out of curiosity, what version of bind are you using? What > platform? > > A simpler change would be to make the named_from look like: > > <decoder name="named_from"> > <parent>named</parent> > <regex offset="after_parent"> from [(\d+.\d+.\d+.\d+)]|from (\S+)#</regex> > <order>srcip</order> > </decoder> > > But this doesn't grab the domain. > > > > > > > > On Wed, Aug 31, 2011 at 10:34 AM, Blauch Armand <[email protected]> wrote: > > Hello, > > > I added a new decoder for named because one of my transfert zone log > > doesn't extract ip address. And I need ip address for a rule. > > > I think decoder called "named_client" match with this kind of log: > > Aug 31 10:22:14 testsrv named[7582]: client 192.168.10.2#36877: > > transfer of '18.192.in-test.com/IN': AXFR started > > > But I have an other kind of log like this: > > Aug 31 15:45:02 testsrv named[7582]: transfer of 'domain.test.com/IN' > > from 192.168.10.2#53: Transfer completed: 6 messages, 6 records, 10 > > bytes, 0.17 secs (75 bytes/sec) > > > So I added this decoder: > > <decoder name="named_transfer"> > > <parent>named</parent> > > <prematch>^transfer </prematch> > > <regex offset="after_prematch">^of (\S+) from (\d+.\d+.\d+.\d+)#</ > > regex> > > <order>id, srcip</order> > > </decoder> > > > Maybe some of you are interested on this decoder or by the log line? > > > AB
