From ba51bbdcee203bcad081aa2580bd07e26b8e770d Mon Sep 17 00:00:00 2001
From: Kameron Kenny <1267885+kkenny@users.noreply.github.com>
Date: Wed, 19 Jun 2024 16:04:34 -0400
Subject: [PATCH] bind parsing

---
 Dockerfile                            |  2 +-
 config/syslog-ng.conf.d/bind-dns.conf | 29 +++++++++++++++++++++++++--
 docker-compose.yml                    |  2 +-
 3 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5de8ff0..89fdbaf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM debian:latest
 MAINTAINER Kameron Kenny <kkenny379@gmail.com>
 
-LABEL version="20240619.1.4"
+LABEL version="20240619.1.5"
 LABEL description="Debian Based syslog-ng"
 
 RUN apt-get update
diff --git a/config/syslog-ng.conf.d/bind-dns.conf b/config/syslog-ng.conf.d/bind-dns.conf
index b261e15..ee89763 100644
--- a/config/syslog-ng.conf.d/bind-dns.conf
+++ b/config/syslog-ng.conf.d/bind-dns.conf
@@ -1,6 +1,27 @@
 filter f_bind9_primary { message("bind9-primary"); };
 filter f_bind9_secondary { message("bind9-secondary"); };
 
+rewrite r_docker_image {
+  subst("^5000/tlp/", "image:", value("MESSAGE"));
+  subst(":(?=(\d*\.\d*\.\d*))", " version:", value("MESSAGE"));
+  subst('(\/)(?=\S*\[)', " container_name:", value("MESSAGE"));
+  subst('((?!=container_name:(\S*))\[(?=\d*))', " pid:", value("MESSAGE"));
+  subst('((?!=pid:(\d*))\]:)', "", value("MESSAGE"));
+  subst('((?!=pid:(\d*))\ )', " datetime:", value("MESSAGE"));
+  subst('((?!=datetime:(\d*-\w*-\d*))\ )', "_", value("MESSAGE"));
+  subst('((?!=datetime:(\d*-\w*-\d*_\d*)):)', ".", value("MESSAGE"));
+  subst('((?!=datetime:(\d*-\w*-\d*_\d*\.\d*)):)', ".", value("MESSAGE"));
+};
+
+parser p_bind_message {
+  csv-parser(
+    prefix("bind9.")
+    flags(strip-whitespace)
+    delimiters(" ")
+    columns("docker_header", "date", "time", "client.header", "client.object_id", "client.ip_port", "client.request", "query.header", "query.request", "query.class", "query.type", "query.flags")
+  );
+};
+
 parser p_bind_kv {
   kv-parser(
     prefix("bind9.")
@@ -33,7 +54,9 @@ destination d_bind_logs {
 log {
   source(s_network_udp);
   filter(f_bind9_primary);
-  parser(p_bind_kv);
+  parser(p_bind_message);
+ # rewrite(r_docker_image);
+  #parser(p_bind_kv);
   destination(d_bind_logs);
   flags(final);
 };
@@ -41,7 +64,9 @@ log {
 log {
   source(s_network_udp);
   filter(f_bind9_secondary);
-  parser(p_bind_kv);
+  parser(p_bind_message);
+#  rewrite(r_docker_image);
+#  parser(p_bind_kv);
   destination(d_bind_logs);
   flags(final);
 };
diff --git a/docker-compose.yml b/docker-compose.yml
index 7c9ed1b..0fb1460 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,7 @@ services:
   syslog-ng:
     build:
       dockerfile: Dockerfile
-    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240619.1.4
+    image: docker-registry1.in.thelinuxpro.net:5000/tlp/syslog-ng:240619.1.5
     container_name: syslog-ng
       #environment:
         #- TZ:America/Indianapolis