Filter DNS events by domain

arodier-pirum · January 24, 2022, 3:55pm

Hi,

We have a lot of internal DNS queries, and I wonder if there is a way to filter the DNS events in Suricata eve.json file.

For instance, I don’t see in the doc any filtering option, based for instance on the DNS domain.

Thanks for your help.

Andre

sgroenev · January 26, 2022, 12:59pm

cat (or tail) /var/log/suricata/eve.json | grep -i [domain]?

Or use something like ELK / Splunk for further querying?

Topic		Replies	Views
Cannot disable dns events in eve.json	1	1740	September 16, 2020
Data.event.type= dns issue	10	45	November 4, 2024
Eve.json only shows "event_type":"flow" Help	7	1655	October 22, 2020
Filter dns query by wildcard rather then by ip address Help rules	5	958	May 8, 2023
Ignoring noisy events (dns, http) Help	9	1292	March 8, 2024