bind9LogToJson

bind9LogToJson

App Description

This application acts as a lightweight log translator for BIND9 DNS server logs. Its purpose is to continuously tail the raw BIND9 query logs, parse each line into structured fields, and re-write the output into a newline-delimited JSON (JSONL) file.

The JSONL file can then be picked up by Filebeat (or any other log shipper) and shipped to Elasticsearch as structured events, making DNS query data easy to filter, search, and visualize in Kibana.

Key Features

• Real-time log tailing: Continuously monitors the BIND9 log file for new entries.
• Structured parsing: Extracts fields such as timestamp, client IP/port, query name (qname), query type (qtype), response code, and server IP.
• JSONL output: Each parsed log entry is written as a single-line JSON object, fully compatible with Filebeat’s decode_json_fields processor.
• Resilient tailing: Supports file rotation (logrotate) and resumes from the correct offset without losing events.
• Minimal footprint: Runs as a background service with low CPU/memory usage.

Example Input (BIND9 log line)

21-Aug-2025 21:28:07.817 queries: info: client @0x7f63aed88168 172.69.69.114#60775 (spicylatte3.redeemedbytheblood.org): query: spicylatte3.redeemedbytheblood.org IN A +E(0)D (45.32.213.144)

Example Output (JSONL)

{"timestamp":"2025-08-21T21:28:07.817Z","client_ip":"172.69.69.114","client_port":60775,"qname":"spicylatte3.redeemedbytheblood.org","qtype":"A","rcode":"NOERROR","server_ip":"45.32.213.144"}

Integration with Filebeat

• Filebeat is typically configured to read /var/log/bind9.jsonl.
• With a decode_json_fields processor, the JSON keys (timestamp, qname, qtype, etc.) become structured fields in Elasticsearch.
• This allows building Kibana dashboards for DNS traffic analysis, threat hunting, or anomaly detection.

Defaults

• Input path: /var/log/bind9.log (override with env var BIND9_LOG_PATH)
• Output path: bind9.jsonl (override with env var BIND9_JSON_PATH). For production setups, many users prefer writing to /var/log/bind9.jsonl so Filebeat can pick it up.

Build

• cargo build --release

Run examples

• Use defaults:
  • cargo run --release
• Custom paths:
  • BIND9_LOG_PATH=live_sample.log BIND9_JSON_PATH=out.jsonl cargo run --release

Quick local test

• In one shell, run with a test log file:
  • BIND9_LOG_PATH=live_sample.log BIND9_JSON_PATH=out.jsonl cargo run --release
• In another shell, append lines to the log:
  • echo "08-Aug-2025 15:30:12.123 client 192.0.2.1#12345: query: Example.COM IN A +E (10.0.0.1)" >> live_sample.log
• Observe JSON entries appended to out.jsonl.

Notes

• Reads from the beginning of the file by default. If your log is very large and you only want new entries, rotate/truncate the file before starting or point to a fresh file.
• The tool writes one JSON object per line and flushes after each write.

Filebeat example config

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/log/bind9.jsonl
    fields:
      log_type: bind9
    fields_under_root: true

    processors:
      - decode_json_fields:
          fields: ["message"]   # take the "message" field (the raw line)
          target: ""            # put parsed JSON fields at the top level
          overwrite_keys: true  # allow overwriting existing keys if same name