Can someone please help me on this extractors and dashboards?

Hi Guys,

I have pfsense on which have built DNS sinkhole even original contributor have created a JSON extractors and Input. However my application on pfsense is working absolutely fine and generating logs in local dns resolver. However when the Input is created on graylog2 nothing is appearing appropriately or no logs are appearing.

Can someone pls help me to troubleshoot? Here are the extractors link.

https://sourceforge.net/projects/cleandns/files/stuff/CleanDNS%20-%20GrayLog%20Content%20Pack/

What input have you created? What’s the configuration of that input?
What’s the configuration of the clients sending messages to that input?

Please find my answers below

What input have you created?
CleanDNS_INPUT Syslog UDP

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
override_source: <empty>
port: 5353
recv_buffer_size: 262144
store_full_message: true

What’s the configuration of that input?
We have provided above

What’s the configuration of the clients sending messages to that input?
This is just ipaddress:5353 port at pfsense box

What does that configure exactly?

That is forwarding the dnsreolver logs for DNS sinkhole to ipaddress of graylog server on UDP port 5353

Please let me know if any more information needed.

Here are those logs.

Jul 27 23:43:27	named	77540	general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints
Jul 27 23:43:27	named	77540	general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:200::b) missing from hints

Here are couple more

Jul 27 23:43:27	named	77540	queries: info: client @0x803076600 172.16.3.15#25668 (b.googlemail.l.google.com): view cleandns: query: b.googlemail.l.google.com IN A +E(0)D (172.16.3.44)
Jul 27 23:43:23	named	77540	general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints
Jul 27 23:43:23	named	77540	general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:200::b) missing from hints
Jul 27 23:43:23	named	77540	queries: info: client @0x804035800 172.16.3.15#24040 (clients.l.google.com): view cleandns: query: clients.l.google.com IN A +E(0)D (172.16.3.44)
Jul 27 23:43:20	named	77540	general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints
Jul 27 23:43:20	named	77540	general: warning: checkhints: view cleandns: b.root-servers.net/AAAA (2001:500:200::b) missing from hints

Does pfSense send these in valid syslog messages adhering to RFC 3164 or RFC 5424?

Try using a Raw/Plaintext UDP input instead.

Hmm let me try!!! But thing here is. Since the solution deployed on pfsense is DNS sinkhole which will blockhole the malicious domains I need to see the domains which are matched or IP addresses which tried accessing those domains and crate graph basis on that.

This is the reason the original developer had created Content pack which I directly tried importing which didnt work. Hence was requesting community help.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.