Sourcetypes for ISC BIND

The Splunk Add-on for ISC BIND includes the following source types and event types, which map the ISC BIND server log data to the Splunk Common Information Model (CIM).

Source type	Event type	Event example (default format)	CIM compatibility
`isc:bind:query`	`isc_bind_query`	`27-Oct-2020 03:20:47.721 queries: info: client @0x7f1e58000a30 38.87.196.34#60627 (add3.example.com): query: add3.example.com IN A + (10.160.10.140)`	Network Resolution (DNS)
`isc:bind:queryerror`	`isc_bind_queryerror`	`22-Oct-2020 01:29:51.811 query-errors: info: client @0x7f7544000a30 38.87.196.34#54013 (52.219.226.124.in-addr.arpa): query failed (SERVFAIL) for 52.219.226.124.in-addr.arpa/IN/PTR at query.c:6922 22-Oct-2020 07:54:40.038 query-errors: info: client @0x7f86ec000a30 38.87.196.34#55114 (add3.example.com): query failed (REFUSED) for add3.example.com/IN/A at query.c:5438`	Network Resolution (DNS)
`isc:bind:lameserver`	`isc_bind_lameserver`	`23-Oct-2020 01:32:20.869 lame-servers: info: network unreachable resolving 'demo1.com/A/IN': 2001:503:d2d::30#53`	n/a
`isc:bind:transfer`	`isc_bind_transfer`	`22-Oct-2020 04:00:10.327 notify: info: zone example.com/IN: sending notifies (serial 2014090401) 22-Oct-2020 13:58:25.325 notify: debug 3: zone example.com/IN: sending notify to 2606:4700:10::6814:30b6#53 22-Oct-2020 13:58:39.826 notify: debug 2: zone example.com/IN: notify to 104.20.48.182#53 failed: timed out 22-Oct-2020 14:19:13.318 notify: debug 3: zone example.com/IN: notify response from 192.185.44.208#53: NOTAUTH`	n/a
`isc:bind:network`	`n/a`	`21-Oct-2020 11:24:50.141 network: info: no longer listening on 10.160.10.140#53 22-Oct-2020 00:50:36.566 network: warning: not listening on any interfaces 22-Oct-2020 00:50:37.101 network: info: listening on IPv4 interface ens192, 10.160.10.140#53`	n/a

Related answers from Splunk Community

Sourcetypes for ISC BIND

Comments

Was this topic useful?