dnstap to Splunk
Crist Clark
cjc+bind-users at pumpky.net
Fri May 20 18:10:47 UTC 2022
Anyone out there trying to dump dnstap data into Splunk in
real-time or near-real-time?
I was frankly kind of surprised when I searched the Splunk docs
site and got "No results. We did not find any pages on Splunk.com
that matched dnstap."
Googling didn't fare a whole lot better. But this must be something
people out there do?
Today, we're dumping query logs from BIND into Splunk, but with
some servers trying to send logs for a few thousand queries
per second, we've had some problems. Looking ahead, we're planning
to do some server consolidation which will only up the qps on each
server even more. Dnstap seems like a possible solution.
I was hoping a Splunk module or add-on existed to eat dnstap
data directly, but that first search put a damper on that. Guess
we need to deploy middleware?
More information about the bind-users
mailing list