syslog-ng/config/syslog-ng.conf.d/bind-dns.conf

filter f_bind9 { message("bind9"); };

rewrite r_docker_image {
  subst("^5000/tlp/", "image:", value("MESSAGE"));
  subst(":(?=(\d*\.\d*\.\d*))", " version:", value("MESSAGE"));
  subst('(\/)(?=\S*\[)', " container_name:", value("MESSAGE"));
  subst('((?!=container_name:(\S*))\[(?=\d*))', " pid:", value("MESSAGE"));
  subst('((?!=pid:(\d*))\]:)', "", value("MESSAGE"));
  subst('((?!=pid:(\d*))\ )', " datetime:", value("MESSAGE"));
  subst('((?!=datetime:(\d*-\w*-\d*))\ )', "_", value("MESSAGE"));
  subst('((?!=datetime:(\d*-\w*-\d*_\d*)):)', ".", value("MESSAGE"));
  subst('((?!=datetime:(\d*-\w*-\d*_\d*\.\d*)):)', ".", value("MESSAGE"));
};

parser p_bind_message {
  csv-parser(
    flags(strip-whitespace)
    delimiters(" ")
    columns("docker", "bind9.log.date", "bind9.log.time", "bind9.client.header", "bind9.client.object_id", "bind9.client.ip_port", "bind9.client.request", "bind9.query.header", "bind9.query.request", "bind9.query.class", "bind9.query.type", "bind9.query.flags")
  );
};

rewrite r_bind_docker_header {
  subst("5000\/tlp\/", "", value("docker"));
  subst(":", " ", value("docker"));
  subst(":", " ", value("docker"));
  subst("\/", " ", value("docker"));
  subst('\[', " ", value("docker"));
  subst('\]', " ", value("docker"));
};

parser p_bind_docker_header {
  csv-parser(
    template("${docker}")
    flags(strip-whitespace)
    delimiters(" ")
    columns("docker.image.name", "docker.image.version", "docker.container.name", "docker.container.pid")
  );
};

parser p_client_ip_port {
  csv-parser(
    template("${bind9.client.ip_port}")
    flags(strip-whitespace)
    delimiters("#")
    columns("bind9.client.ip", "bind9.client.port")
  );
};

parser p_bind_client_ip_geoip2_city {
  geoip2(
    "${bind9.client.ip}",
    prefix( "geoip2.source." )
    database( "/usr/local/share/GeoIP/GeoLite2-City.mmdb" )
  );
};

destination d_bind_logs { elasticsearch-http(index("bind9-logs") type("") url("http://pi501.in.thelinuxpro.net:9200/_bulk") template("$(format-json --scope rfc5424 --scope dot-nv-pairs --rekey .* --shift 1 --scope nv-pairs --exclude DATE @timestamp=${ISODATE})")); };

log {
  source(s_network_udp);
  filter(f_bind9);
  parser(p_bind_message);
  rewrite(r_bind_docker_header);
  parser(p_bind_docker_header);
  parser(p_client_ip_port);
  parser(p_bind_client_ip_geoip2_city);
  destination(d_telegraf);
  flags(final);
};