Logstash: grok patterns for Named (dns-query logs)

Question

I have Named(Bind 4) dns-query logs like these:

Sep 17 11:05:33 central.ns.1 named[13705]: 17-Sep-2020 11:05:33.399 client 10.127.0.9#50507 (19.img.avito.st): query: 19.img.avito.st IN A +EDC (10.127.4.28) 
Sep 17 11:05:34 central.ns.2 named[16335]: 17-Sep-2020 11:05:33.411 client 10.127.0.8#54091 (api.aliradar.com): query: api.aliradar.com IN A +EDC (10.127.4.30)

And i created a grok patterns like these:

if [type] == "dns" {
 grok { 
 match => { "message" => '%{MONTH:syslog_month} +%{MONTHDAY:syslog_day} %{TIME:syslog_time} %{IPORHOST:syslog_hostname} %{WORD:syslog_tag}: %{BIND9_TIMESTAMP:timestamp} client %{IP:clientip}#%{POSINT:clientport} \(%{GREEDYDATA:query_one}\): query: %{GREEDYDATA:query_two} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)' }
}

But it looks like these patterns don't work. Can anyone share grok patterns for Named?

Answer 1

Here is the grok pattern that matches your log:

%{SYSLOGTIMESTAMP:time} %{IPORHOST:syslog_hostname} %{DATA:syslog_tag}\: (?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) client %{IP:clientip}#%{POSINT:clientport} \(%{DATA:query_one}\)\: query\: %{DATA:query_two} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)

Please find the screenshot of the output: