Microsoft Windows DNS ログを収集する

このドキュメント：

• デプロイ アーキテクチャとインストール手順に加えて、Microsoft Windows DNS イベントに対して Google Security Operations パーサーがサポートするログを生成するために必要な構成について説明します。Google Security Operations へのデータ取り込みの概要については、Google Security Operations へのデータの取り込みをご覧ください。
• パーサーが元のログのフィールドを Google Security Operations Unified Data Model フィールドにマッピングする方法に関する情報を含みます。

デプロイ アーキテクチャに基づいて、Windows DNS ログを Google Security Operations に取り込むように Bindplane エージェントまたは NXLog エージェントを構成します。Bindplane エージェントを使用して Windows DNS ログを Google Security Operations に転送することをおすすめします。

このドキュメントの情報は、WINDOWS_DNS 取り込みラベルを持つパーサーに適用されます。取り込みラベルは、未加工のログデータを構造化 UDM 形式に正規化するパーサーを識別します。

始める前に

Bindplane エージェントまたは NXLog エージェントを構成する前に、次のタスクを完了します。

• Microsoft Windows DNS サーバーを構成します。詳細については、Windows Server に DNS サーバーをインストールして構成するをご覧ください。
• Windows DNS サーバーで DNS 診断ロギングを有効にします。詳細については、DNS ロギングと診断をご覧ください。
• すべてのシステムを UTC タイムゾーンで構成します。
• サポートされているデバイスとバージョンを確認します。
• サポートされているログタイプを確認します。

サポートされているデバイスとバージョンを確認します。

Google Security Operations パーサーは、次の Microsoft Windows サーバー バージョンのログをサポートしています。 Microsoft Windows Server は、Foundation、Essentials、Standard、Datacenter でリリースされています。各エディションによって生成されたログのイベント スキーマに違いはありません。

• Microsoft Windows Server 2019
• Microsoft Windows Server 2016

• Microsoft Windows Server 2012 R2

  Google Security Operations パーサーは、NXLog Enterprise Edition によって収集されたログをサポートします。

サポートされているログタイプを確認します。

Google Security Operations パーサーは、Microsoft Windows DNS サーバーによって生成された次のログタイプをサポートします。これらのログタイプの詳細については、DNS ロギングと診断のドキュメントをご覧ください。パーサーは英語のテキストで生成されたログはサポートしますが、英語以外の言語で生成されたログはサポートしません。

• 監査ログ: このログタイプの詳細については、監査イベントをご覧ください。
• 分析ログ: このログタイプの詳細については、分析イベントをご覧ください。
• Microsoft Windows DNS サーバーを設定します。 詳細については、DNS 診断ロギングのインストールと有効化をご覧ください。

Bindplane エージェントを構成する

Bindplane エージェントを使用して Windows DNS ログを Google SecOps に転送することをおすすめします。

1. 各 Windows DNS サーバーに Bindplane エージェントをインストールします。Bindplane エージェントのインストールの詳細については、Bindplane エージェントのインストール手順をご覧ください。

2. 次の内容で Bindplane エージェントの構成ファイルを作成します。

   receivers:
     windowseventlog/dns_log:
     channel: Microsoft-Windows-DNSServer/Audit
     raw: true
   processors:
     batch:
   
   exporters:
     chronicle/dns_log:
       endpoint: https://malachiteingestion-pa.googleapis.com
       creds: '{
       "type": "service_account",
       "project_id": "malachite-projectname",
       "private_key_id": `PRIVATE_KEY_ID`,
       "private_key": `PRIVATE_KEY`,
       "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.`SERVICE_ACCOUNT_DOMAIN`",
       "client_id": `CLIENT_ID`,
       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
       "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.`SERVICE_ACCOUNT_DOMAIN`",
       "universe_domain": "googleapis.com"
       }'
     log_type: 'WINDOWS_DNS'
     override_log_type: false
     raw_log_field: body
     customer_id: `CUSTOMER_ID`
   
   service:
     pipelines:
       logs/dns:
         receivers:
           - windowseventlog/dns_log
         processors: [batch]
         exporters: [chronicle/dns_log]
   

3. PRIVATE_KEY_ID、PRIVATE_KEY、SERVICSERVICE_ACCOUNT_NAME、PROJECT_ID、CLIENT_ID、SERVICE_ACCOUNT_DOMAIN、CUSTOMER_ID は、 Google Cloud プラットフォームからダウンロードできるサービス アカウントの JSON ファイルのそれぞれの値に置き換えます。サービス アカウントキーの詳細については、サービス アカウントキーの作成と削除に関するドキュメントをご覧ください。

4. Bindplane（旧称 observerIQ）エージェント サービスを開始するには、[サービス] > [拡張] > [Bindplane サービス] > [開始] の順に選択します。

Bindplane エージェントを使用してログを Google SecOps に転送する

1. Windows 仮想マシンをインストールして設定します。
2. Windows に Bindplane エージェントをインストールして構成し、Google SecOps にログを転送します。Bindplane エージェントのインストールと構成の方法の詳細については、Bindplane エージェントのインストールと構成の手順をご覧ください。

フィードの作成時に問題が発生した場合は、Google SecOps サポートにお問い合わせください。

NXLog エージェントと Google Security Operations フォワーダーを構成する

次の図は、Microsoft Windows DNS イベントを収集して Google SecOps に送信するために NXLog エージェントがインストールされているアーキテクチャを示しています。この情報とお客様の環境を比較して、これらのコンポーネントがインストールされていることを確認してください。実際のデプロイはこの表現とは異なる場合があります。

Bindplane Agent ではなく NXLog Agent を使用する場合は、次の前提条件を満たしてください。 - クラスタ化された Microsoft Windows サーバーに NXLog をインストールして、ログを収集し、中央の Microsoft Windows または Linux サーバーに転送します。- 中央の Microsoft Windows サーバーまたは Linux サーバーに Google SecOps フォワーダーをインストールします。

1. 各 Microsoft Windows DNS サーバーに NXLog をインストールします。NXLog のドキュメントに沿って操作してください。

2. NXLog インスタンスごとに構成ファイルを作成します。DNS 分析ログの抽出には im_etw 入力モジュールを使用し、監査ログには im_msvistalog 入力モジュールを使用します。

   • im_etw入力モジュールの詳細については、Microsoft Windows 向けイベント トレース（im_etw）、および、Microsoft Windows DNS の NXLog の構成をご覧ください。
   • im_msvistalog 入力モジュールの詳細については、Microsoft Windows 2008/Vista 以降のイベントログ（im_msvistalog）をご覧ください。

   NXLog の構成例を以下に示します。<hostname> と <port> の値は、中央の Microsoft Windows または Linux サーバーに関する情報に置き換えます。必要に応じて、ログを XML ではなく JSON に変換して解析するには、Exec to_xml(); 行を Exec to_json(); に変更します。詳細については、om_tcp モジュールに関する NXLog のドキュメントをご覧ください。

   define ROOT C:\Program Files\nxlog
   define WINDNS_OUTPUT_DESTINATION_ADDRESS <hostname>
   define WINDNS_OUTPUT_DESTINATION_PORT <port>
   
   Moduledir   %ROOT%\modules
   CacheDir    %ROOT%\data
   Pidfile     %ROOT%\data\nxlog.pid
   SpoolDir    %ROOT%\data
   LogFile     %ROOT%\data\nxlog.log
   
   <Extension syslog>
       Module      xm_syslog
   </Extension>
   
   # To collect XML logs, use the below NXLog module
   <Extension xml>
       Module      xm_xml
   </Extension>
   
   # To collect JSON logs, use the below NXLog module
   <Extension json>
       Module      xm_json
   </Extension>
   
   <Input eventlog>
       Module      im_etw
       Provider    Microsoft-Windows-DNSServer
   </Input>
   
   <Input auditeventlog>
       Module      im_msvistalog
       <QueryXML>
           <QueryList>
               <Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
                   <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
               </Query>
           </QueryList>
       </QueryXML>
   </Input>
   
   <Output out_chronicle_windns>
       Module      om_tcp
       Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%
       Port        %WINDNS_OUTPUT_DESTINATION_PORT%
       Exec        $EventTime = integer($EventTime) / 1000;
       Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
       Exec        to_xml(); # To collect JSON, use to_json()
   </Output>
   
   <Route analytical_windns_to_chronicle>
       Path    eventlog => out_chronicle_windns
   </Route>
   
   <Route audit_windns_to_chronicle>
       Path    auditeventlog => out_chronicle_windns
   </Route>
   

3. 中央の Microsoft Windows または Linux サーバーに Google Security Operations フォワーダーをインストールします。 フォワーダーのインストールと構成については、Linux でのフォワーダーのインストールと構成または Microsoft Windows でのフォワーダーのインストールと構成をご覧ください。

4. Google Security Operations にログを送信するように Google Security Operations フォワーダーを構成します。 フォワーダー構成の例を次に示します。

     - syslog:
         common:
           enabled: true
           data_type: WINDOWS_DNS
           batch_n_seconds: 10
           batch_n_bytes: 1048576
         tcp_address: 0.0.0.0:10518
         connection_timeout_sec: 60
   

サポートされている Windows DNS ログ形式

Windows DNS パーサーは、JSON、XML、SYSLOG + KV、SYSLOG 形式のログをサポートしています。

サポートされている Windows DNS のサンプルログ

• JSON:

  {
    "EventTime": 1640073312000,
    "Hostname": "WIN-TEST",
    "Keywords": "4611686018427912192",
    "EventType": "INFO",
    "SeverityValue": 2,
    "Severity": "INFO",
    "EventID": 514,
    "SourceName": "Microsoft-Windows-DNSServer",
    "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "Version": 0,
    "TaskValue": 5,
    "OpcodeValue": 0,
    "RecordNumber": 1,
    "ExecutionProcessID": 2244,
    "ExecutionThreadID": 1448,
    "Channel": "Microsoft-Windows-DNSServer/Audit",
    "Domain": "DNSTEST",
    "AccountName": "Administrator",
    "UserID": "S-1-2-3",
    "AccountType": "User",
    "Message": "The zone dnstest.local was updated. The SecondaryServers setting has been set to deny zone transfers. [virtualization instance: .].",
    "Category": "ZONE_OP",
    "Opcode": "Info",
    "Zone": "dnstest.local",
    "PropertyKey": "SecondaryServers",
    "NewValue": "deny zone transfers",
    "VirtualizationID": ".",
    "EventReceivedTime": 1640073312001,
    "SourceModuleName": "auditeventlog",
    "SourceModuleType": "im_msvistalog"
  }
  
  

• XML:

  <Event>
    <SourceName>Microsoft-Windows-DNSServer</SourceName>
    <ProviderGuid>{EB79061A-A566-4698-9119-3ED2807060E7}
    </ProviderGuid>
    <EventID>256</EventID>
    <Version>0</Version>
    <ChannelID>16</ChannelID>
    <OpcodeValue>0</OpcodeValue>
    <TaskValue>1</TaskValue>
    <Keywords>9223372036854775809</Keywords>
    <EventTime>1640073312000</EventTime>
    <ExecutionProcessID>2476</ExecutionProcessID>
    <ExecutionThreadID>3972</ExecutionThreadID>
    <EventType>INFO</EventType>
    <SeverityValue>2</SeverityValue>
    <Severity>INFO</Severity>
    <Hostname>WIN-TEST</Hostname>
    <Domain>NT AUTHORITY</Domain>
    <AccountName>SYSTEM</AccountName>
    <UserID>S-1-2-3</UserID>
    <AccountType>User</AccountType>
    <Flags>256</Flags>
    <TCP>0</TCP>
    <InterfaceIP>198.51.100.5</InterfaceIP>
    <Source>198.51.100.0</Source>
    <RD>1</RD>
    <QNAME>www.google.com.</QNAME>
    <QTYPE>1</QTYPE>
    <XID>55835</XID>
    <Port>50843</Port>
    <BufferSize>43</BufferSize>
    <PacketData>0xDA1B0100000100000000000006766F727465780464617461096D6963726F736F667403636F6D0000010001</PacketData>
    <AdditionalInfo>.</AdditionalInfo>
    <EventReceivedTime>1640073312001</EventReceivedTime>
    <SourceModuleName>eventlog</SourceModuleName>
    <SourceModuleType>im_etw</SourceModuleType>
  </Event>
  
  

• SYSLOG + KV:

  UDP question info at 00000027580C8220  Socket = 556  Remote addr 198.51.100.1, port 60766  Time Query=559415, Queued=0, Expire=0  Buf length = 0x0fa0 (4000)  Msg length = 0x0044 (68)  Message:    XID       0x49d7    Flags     0x0100      QR        0 (QUESTION)      OPCODE    0 (QUERY)      AA        0      TC        0      RD        1      RA        0      Z         0      CD        0      AD        0      RCODE     0 (NOERROR)    QCOUNT    1    ACOUNT    0    NSCOUNT   0    ARCOUNT   0    QUESTION SECTION:    Offset = 0x000c, RR count = 0    Name      \"(5)_ldap(4)_tcp(4)INMS(6)_sites(14)ForestDnsZones(8)genmills(3)com(0)\"      QTYPE   SRV (33)      QCLASS  1    ANSWER SECTION:      empty    AUTHORITY SECTION:      empty    ADDITIONAL SECTION:      empty
  

• Syslog

  29.11.2023 14:13:11 1B14 PACKET 00000274481BF1B0 UDP Snd 198.51.100.0 14fc Q [0001 D NOERROR] A (23)win-dns(10)westeurope(8)test(5)azure(3)com(0)
  

フィールド マッピング リファレンス: デバイスログ フィールドから UDM フィールド

このセクションでは、パーサーが元のデバイスログ フィールドを統合データモデル（UDM）フィールドにマッピングする方法について説明します。

次の表に、WINDOWS_DNS ログタイプのログ フィールドと、対応する UDM フィールドを示します。

共通フィールド

NXLog フィールド	UDM フィールド	コメント
SourceName	metadata.vendor_name = "Microsoft" metadata.product_name = "Windows DNS Server"
EventID	security_result.rule_name	Stored as "EventID: %{EventID}". In events with Error and Warning level.
Severity	security_result.severity	The values are mapped to the UDM field enum as follows: 0 (None) - UNKNOWN_SEVERITY 1 (Critical) - INFORMATIONAL 2 (Error) - ERROR 3 (Warning) - ERROR 4 (Informational) - INFORMATIONAL 5 (Verbose) - INFORMATIONAL
EventTime	metadata.event_timestamp
ExecutionProcessID	principal.process.pid / target.process.pid	Value stored in target.process.pid for the following Event IDs 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.process.pid for all other Event IDs.
Channel	metadata.product_event_type
Hostname	principal.hostname / target.hostname	Value stored in target.hostname for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.hostname from all other Event IDs.
UserID	principal.user.windows_sid / target.user.windows_sid	Stored in target.user.windows_sid for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272,273, 275, 278, 279, 280. Stored in principal.user.windows_sid for all other Event IDs

分析ログ

元のログフィールド	UDM フィールド	コメント
AA	network.dns.authoritative
Destination	target.ip / principal.ip	Populated in either principal and target.
InterfaceIP	target.ip / principal.ip	Stores DNS Server's IP address in target.ip for following Event IDs, 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Stored in principal.ip for all other Event IDs (DNS response).
PacketData	network.dns.answers.binary_data
Port	target.port / principal.port
QNAME	network.dns.questions.name, target.hostname	Do not store QNAME in target.hostname for following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, and 280
QTYPE	network.dns.questions.type
RCODE	network.dns.response_code
RD	network.dns.recursion_desired
Reason	security_result.summary
Source	principal.ip / target.ip	Source IPv4/IPv6 address of the machine that initiated the DNS request. Stored in target.ip for Event ID 274. Stored in target.ip for Event ID 265 and 269. InterfaceIP contains the secondary server's IP address (principal) and Source (target) is the primary server's IP address.
TCP	network.ip_protocol
XID	network.dns.id
EventID	network.direction	If the EventID log field value contains one of the following values, then the network.direction UDM field is set to OUTBOUND. 256 259 261 263 266 268 270 272 273 275 278 279 280 Else, the network.direction UDM field is set to INBOUND.
Flags	additional.fields
Zone	target.resource.name
ZoneScope	target.resource.name
ForwardInterfaceIP	target.ip / principal.ip	Stores DNS Server's IP address in target.ip for following Event IDs, 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Stored in principal.ip for all other Event IDs (DNS response).
PolicyName	security_result.detection_fields
SECURE	additional.fields
ServerScope	additional.fields
CacheScope	additional.fields
AD	additional.fields
DNSSEC	additional.fields
Scope	target.resource.name
Computer	principal.hostname / target.hostname	Value stored in target.hostname for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.hostname from all other Event IDs.

監査ログ

元のログフィールド	UDM フィールド	注
Name	target.resource.name	Value is collected from events with Event ID 512.
Policy	target.resource.name	Value is collected from events with Event ID 577, 578, 579, 580, 581, and 582, which are mapped to the SETTING_* event types.
QNAME	network.dns.questions.name, target.hostname
QTYPE	network.dns.questions.type
RecursionScope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Scope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Setting	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Source	principal.ip
Zone	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
ZoneScope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.

SourceModuleType im_file のログ

元のログフィールド	UDM フィールド	注
EventReceivedTime	metadata.collected_timestamp
Expire	about.labels (deprecated)
Expire	additional.fields
InternalPacketIdentifier	about.labels (deprecated)
InternalPacketIdentifier	additional.fields
	about.labels (deprecated)	Grok: Extracted the internal_packet_identifier field from the raw log and then mapped the internal_packet_identifier field to the about.labels UDM field.
	additional.fields	Grok: Extracted the internal_packet_identifier field from the raw log and then mapped the internal_packet_identifier field to the additional.fields UDM field.
packet_identifier	about.labels (deprecated)
packet_identifier	additional.fields
LogInfo	metadata.description
PortNum	principal.port
Queued	about.labels (deprecated)
Queued	additional.fields
Socket	principal.labels (deprecated)
Socket	additional.fields
TimeQuery	about.labels (deprecated)
TimeQuery	additional.fields
BufLen	about.labels (deprecated)
BufLen	additional.fields
Opcode	network.dns.opcode	If the Opcode log field value is equal to Q, then the network.dns.opcode UDM field is set to 0. Else, if the Opcode log field value is equal to I, then the network.dns.opcode UDM field is set to 1. Else, if the Opcode log field value is equal to S, then the network.dns.opcode UDM field is set to 2. Else, if the Opcode log field value is equal to N, then the network.dns.opcode UDM field is set to 4. Else, if the Opcode log field value is equal to U, then the network.dns.opcode UDM field is set to 5.
opcode	network.dns.opcode	Grok: Extracted the opcode field from the raw log. If the opcode field value is equal to Q, then the network.dns.opcode UDM field is set to 0. Else, if the opcode field value is equal to I, then the network.dns.opcode UDM field is set to 1. Else, if the opcode field value is equal to S, then the network.dns.opcode UDM field is set to 2. Else, if the opcode field value is equal to N, then the network.dns.opcode UDM field is set to 4. Else, if the opcode field value is equal to U, then the network.dns.opcode UDM field is set to 5.
Protocol	network.ip_protocol	If the Protocol log field value is equal to 1 or ICMP, then the network.ip_protocol UDM field is set to ICMP. Else, if the Protocol log field value is equal to 2 or IGMP, then the network.ip_protocol UDM field is set to IGMP. Else, if the Protocol log field value is equal to 6 or TCP, then the network.ip_protocol UDM field is set to TCP. Else, if the Protocol log field value is equal to 17 or UDP, then the network.ip_protocol UDM field is set to UDP. Else, if the Protocol log field value is equal to 41 or IP6IN4, then the network.ip_protocol UDM field is set to IP6IN4. Else, if the Protocol log field value is equal to 47 or GRE, then the network.ip_protocol UDM field is set to GRE. Else, if the Protocol log field value is equal to 50 or ESP, then the network.ip_protocol UDM field is set to ESP. Else, if the Protocol log field value is equal to 88 or EIGRP, then the network.ip_protocol UDM field is set to EIGRP. Else, if the Protocol log field value is equal to 97 or ETHERIP, then the network.ip_protocol UDM field is set to ETHERIP. Else, if the Protocol log field value is equal to 103 or PIM, then the network.ip_protocol UDM field is set to PIM. Else, if the Protocol log field value is equal to 112 or VRRP, then the network.ip_protocol UDM field is set to VRRP.
	network.ip_protocol	Grok: Extracted the ip_protocol field from the raw log. If the ip_protocol field value is equal to 1 or ICMP, then the network.ip_protocol UDM field is set to ICMP. Else, if the ip_protocol field value is equal to 2 or IGMP, then the network.ip_protocol UDM field is set to IGMP. Else, if the ip_protocol field value is equal to 6 or TCP, then the network.ip_protocol UDM field is set to TCP. Else, if the ip_protocol field value is equal to 17 or UDP, then the network.ip_protocol UDM field is set to UDP. Else, if the ip_protocol field value is equal to 41 or IP6IN4, then the network.ip_protocol UDM field is set to IP6IN4. Else, if the ip_protocol field value is equal to 47 or GRE, then the network.ip_protocol UDM field is set to GRE. Else, if the ip_protocol field value is equal to 50 or ESP, then the network.ip_protocol UDM field is set to ESP. Else, if the ip_protocol field value is equal to 88 or EIGRP, then the network.ip_protocol UDM field is set to EIGRP. Else, if the ip_protocol field value is equal to 97 or ETHERIP, then the network.ip_protocol UDM field is set to ETHERIP. Else, if the ip_protocol field value is equal to 103 or PIM, then the network.ip_protocol UDM field is set to PIM. Else, if the ip_protocol field value is equal to 112 or VRRP, then the network.ip_protocol UDM field is set to VRRP.
	network.dns.response_code	Grok: Extracted the dns_response_code field from the raw log. If the dns_response_code field value is equal to NOERROR, then the network.dns.response_code UDM field is set to 0. Else, if the dns_response_code field value is equal to FORMERR, then the network.dns.response_code UDM field is set to 1. Else, if the dns_response_code field value is equal to SERVFAIL, then the network.dns.response_code UDM field is set to 2. Else, if the dns_response_code field value is equal to NXDOMAIN, then the network.dns.response_code UDM field is set to 3. Else, if the dns_response_code field value is equal to NOTIMP, then the network.dns.response_code UDM field is set to 4. Else, if the dns_response_code field value is equal to REFUSED, then the network.dns.response_code UDM field is set to 5. Else, if the dns_response_code field value is equal to YXDOMAIN, then the network.dns.response_code UDM field is set to 6. Else, if the dns_response_code field value is equal to YXRRSET, then the network.dns.response_code UDM field is set to 7. Else, if the dns_response_code field value is equal to NXRRSET, then the network.dns.response_code UDM field is set to 8. Else, if the dns_response_code field value is equal to NOTAUTH, then the network.dns.response_code UDM field is set to 9. Else, if the dns_response_code field value is equal to NOTZONE, then the network.dns.response_code UDM field is set to 10. Else, if the dns_response_code field value is equal to DSOTYPENI, then the network.dns.response_code UDM field is set to 11. Else, if the dns_response_code field value is equal to BADVERS, then the network.dns.response_code UDM field is set to 16. Else, if the dns_response_code field value is equal to BADSIG, then the network.dns.response_code UDM field is set to 16. Else, if the dns_response_code field value is equal to BADKEY, then the network.dns.response_code UDM field is set to 17. Else, if the dns_response_code field value is equal to BADTIME, then the network.dns.response_code UDM field is set to 18. Else, if the dns_response_code field value is equal to BADMODE, then the network.dns.response_code UDM field is set to 19. Else, if the dns_response_code field value is equal to BADNAME, then the network.dns.response_code UDM field is set to 20. Else, if the dns_response_code field value is equal to BADALG, then the network.dns.response_code UDM field is set to 21. Else, if the dns_response_code field value is equal to BADTRUNC, then the network.dns.response_code UDM field is set to 22. Else, if the dns_response_code field value is equal to BADCOOKIE, then the network.dns.response_code UDM field is set to 23.
	network.dns.authoritative	Grok: Extracted the authoritative field from the raw log. If the authoritative field value is equal to A, then the network.dns.authoritative UDM field is set to true.
	network.dns.truncated	Grok: Extracted the truncated field from the raw log. If the truncated field value is equal to T, then the network.dns.truncated UDM field is set to true.
	network.dns.recursion_desired	Grok: Extracted the recursion_desired field from the raw log. If the recursion_desired field value is equal to D, then the network.dns.recursion_desired UDM field is set to true.
	network.dns.recursion_available	Grok: Extracted the recursion_available field from the raw log. If the recursion_available field value is equal to R, then the network.dns.recursion_available UDM field is set to true.
QueryType	network.dns.response	If the QueryType log field value is equal to R, then the network.dns.response UDM field is set to true. Else, the network.dns.response UDM field is set to false.
req_or_resp	network.dns.response	Grok: Extracted the req_or_resp field from the raw log. If the req_or_resp field value is equal to R, then the network.dns.response UDM field is set to true. Else, the network.dns.response UDM field is set to false.
QuestionName	network.dns.questions.name, target.hostname
domain	network.dns.questions.name, target.hostname	Grok: Extracted the domain field from the raw log and then mapped the domain field to the network.dns.questions.name and target.hostname UDM field.
QuestionType	network.dns.questions.type	If the QuestionType field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the QuestionType field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the QuestionType field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the QuestionType field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the QuestionType field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the QuestionType field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the QuestionType field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the QuestionType field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the QuestionType field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the QuestionType field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the QuestionType field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the QuestionType field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the QuestionType field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the QuestionType field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the QuestionType field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the QuestionType field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the QuestionType field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the QuestionType field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the QuestionType field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the QuestionType field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the QuestionType field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the QuestionType field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the QuestionType field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the QuestionType field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the QuestionType field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the QuestionType field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the QuestionType field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the QuestionType field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the QuestionType field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the QuestionType field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the QuestionType field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the QuestionType field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the QuestionType field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the QuestionType field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the QuestionType field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the QuestionType field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the QuestionType field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the QuestionType field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the QuestionType field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the QuestionType field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the QuestionType field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the QuestionType field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the QuestionType field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the QuestionType field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the QuestionType field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the QuestionType field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the QuestionType field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the QuestionType field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the QuestionType field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the QuestionType field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the QuestionType field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the QuestionType field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the QuestionType field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the QuestionType field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the QuestionType field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the QuestionType field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the QuestionType field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the QuestionType field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the QuestionType field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the QuestionType field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the QuestionType field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the QuestionType field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the QuestionType field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the QuestionType field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the QuestionType field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the QuestionType field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the QuestionType field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the QuestionType field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the QuestionType field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the QuestionType field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the QuestionType field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the QuestionType field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the QuestionType field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the QuestionType field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the QuestionType field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the QuestionType field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the QuestionType field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the QuestionType field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the QuestionType field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the QuestionType field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the QuestionType field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the QuestionType field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the QuestionType field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the QuestionType field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the QuestionType field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the QuestionType field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the QuestionType field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the QuestionType field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the QuestionType field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the QuestionType field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
	network.dns.questions.type	Grok: Extracted the dns_record_type field from the raw log. If the dns_record_type field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the dns_record_type field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the dns_record_type field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the dns_record_type field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the dns_record_type field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the dns_record_type field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the dns_record_type field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the dns_record_type field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the dns_record_type field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the dns_record_type field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the dns_record_type field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the dns_record_type field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the dns_record_type field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the dns_record_type field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the dns_record_type field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the dns_record_type field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the dns_record_type field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the dns_record_type field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the dns_record_type field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the dns_record_type field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the dns_record_type field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the dns_record_type field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the dns_record_type field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the dns_record_type field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the dns_record_type field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the dns_record_type field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the dns_record_type field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the dns_record_type field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the dns_record_type field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the dns_record_type field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the dns_record_type field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the dns_record_type field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the dns_record_type field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the dns_record_type field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the dns_record_type field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the dns_record_type field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the dns_record_type field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the dns_record_type field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the dns_record_type field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the dns_record_type field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the dns_record_type field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the dns_record_type field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the dns_record_type field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the dns_record_type field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the dns_record_type field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the dns_record_type field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the dns_record_type field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the dns_record_type field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the dns_record_type field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the dns_record_type field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the dns_record_type field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the dns_record_type field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the dns_record_type field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the dns_record_type field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the dns_record_type field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the dns_record_type field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the dns_record_type field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the dns_record_type field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the dns_record_type field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the dns_record_type field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the dns_record_type field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the dns_record_type field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the dns_record_type field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the dns_record_type field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the dns_record_type field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the dns_record_type field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the dns_record_type field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the dns_record_type field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the dns_record_type field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the dns_record_type field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the dns_record_type field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the dns_record_type field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the dns_record_type field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the dns_record_type field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the dns_record_type field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the dns_record_type field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the dns_record_type field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the dns_record_type field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the dns_record_type field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the dns_record_type field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the dns_record_type field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the dns_record_type field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the dns_record_type field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the dns_record_type field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the dns_record_type field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the dns_record_type field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the dns_record_type field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the dns_record_type field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the dns_record_type field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the dns_record_type field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
dns_record_name	network.dns.questions.type	If the dns_record_name field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the dns_record_name field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the dns_record_name field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the dns_record_name field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the dns_record_name field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the dns_record_name field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the dns_record_name field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the dns_record_name field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the dns_record_name field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the dns_record_name field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the dns_record_name field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the dns_record_name field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the dns_record_name field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the dns_record_name field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the dns_record_name field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the dns_record_name field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the dns_record_name field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the dns_record_name field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the dns_record_name field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the dns_record_name field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the dns_record_name field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the dns_record_name field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the dns_record_name field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the dns_record_name field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the dns_record_name field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the dns_record_name field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the dns_record_name field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the dns_record_name field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the dns_record_name field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the dns_record_name field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the dns_record_name field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the dns_record_name field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the dns_record_name field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the dns_record_name field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the dns_record_name field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the dns_record_name field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the dns_record_name field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the dns_record_name field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the dns_record_name field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the dns_record_name field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the dns_record_name field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the dns_record_name field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the dns_record_name field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the dns_record_name field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the dns_record_name field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the dns_record_name field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the dns_record_name field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the dns_record_name field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the dns_record_name field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the dns_record_name field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the dns_record_name field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the dns_record_name field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the dns_record_name field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the dns_record_name field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the dns_record_name field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the dns_record_name field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the dns_record_name field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the dns_record_name field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the dns_record_name field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the dns_record_name field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the dns_record_name field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the dns_record_name field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the dns_record_name field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the dns_record_name field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the dns_record_name field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the dns_record_name field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the dns_record_name field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the dns_record_name field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the dns_record_name field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the dns_record_name field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the dns_record_name field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the dns_record_name field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the dns_record_name field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the dns_record_name field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the dns_record_name field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the dns_record_name field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the dns_record_name field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the dns_record_name field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the dns_record_name field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the dns_record_name field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the dns_record_name field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the dns_record_name field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the dns_record_name field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the dns_record_name field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the dns_record_name field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the dns_record_name field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the dns_record_name field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the dns_record_name field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the dns_record_name field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the dns_record_name field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
RemoteIP	principal.ip	If the value of the RemoteIP field matches the regular expression ip, then the principal.ip UDM field is mapped to RemoteIP. Else, principal.hostname UDM field is mapped to RemoteIP
	principal.ip	Grok: Extracted the client field from the raw log. If the value of the client field matches the regular expression ip, then the principal.ip UDM field is mapped to client. Else, principal.hostname UDM field is mapped to client.
	principal.hostname	Grok: Extracted the syslog_host field from the raw log. If the value of the client field matches the regular expression ip, then the principal.hostname UDM field is mapped to the syslog_host.
SendReceiveIndicator	network.direction	If the SendReceiveIndicator log field value is equal to Snd, then the network.direction UDM field is set to OUTBOUND. Else, if the SendReceiveIndicator log field value is equal to Rcv, then the network.direction UDM field is set to INBOUND.
send_receive_indicator	network.direction	Grok: Extracted the send_receive_indicator field from the raw log. If the send_receive_indicator field value is equal to Snd, then the network.direction UDM field is set to OUTBOUND. Else, if the send_receive_indicator field value is equal to Rcv, then the network.direction UDM field is set to INBOUND.
Xid	network.dns.id
xid	network.dns.id	Grok: Extracted the xid field from the raw log and then mapped the xid field to the network.dns.id UDM field.
	network.dns.answers.data	Grok: Extracted the DATA field from the raw log and then mapped the DATA field to the network.dns.answers.data UDM field.
	network.dns.answers.type	Grok: Extracted the TYPE field from the raw log and then mapped the TYPE field to the network.dns.answers.type UDM field.
	network.dns.answers.name	Grok: Extracted the Name field from the raw log and then mapped the Name field to the network.dns.answers.name UDM field.
	network.dns.answers.ttl	Grok: Extracted the TTL field from the raw log and then mapped the TTL field to the network.dns.answers.ttl UDM field.
	network.dns.answers.class	Grok: Extracted the CLASS field from the raw log and then mapped the CLASS field to the network.dns.answers.class UDM field.

以前のデバッグログ

#NOTYPO

元のログフィールド	UDM フィールド	注
BufLen	about.labels.key/value (deprecated)	Grok: Extracted the BufLen field from the raw log and then mapped the BufLen field to the about.labels UDM field.
BufLen	additional.fields	Grok: Extracted the BufLen field from the raw log and then mapped the BufLen field to the additional.fields UDM field.
client	principal.ip	Grok: Extracted the client field from the raw log. If the value of the client field matches the regular expression ip, then the principal.ip UDM field is mapped to client. Else, principal.hostname UDM field is mapped to client.
domain	network.dns.questions.name target.hostname target.asset.hostname	Grok: Extracted the domain field from the raw log and then mapped the domain field to the network.dns.questions.name, target.hostname and target.asset.hostname UDM field.
Expire	about.labels.key/value (deprecated)	Grok: Extracted the Expire field from the raw log and then mapped the Expire field to the about.labels UDM field.
Expire	additional.fields	Grok: Extracted the Expire field from the raw log and then mapped the Expire field to the additional.fields UDM field.
internal_packet_identifier	about.labels.key/value (deprecated)	Grok: Extracted the internal_packet_identifier field from the raw log and then mapped the internal_packet_identifier field to the about.labels UDM field.
internal_packet_identifier	additional.fields	Grok: Extracted the internal_packet_identifier field from the raw log and then mapped the internal_packet_identifier field to the additional.fields UDM field.
ip_protocol	network.ip_protocol	Grok: Extracted the ip_protocol field from the raw log. If the ip_protocol field value is equal to 1 or ICMP, then the network.ip_protocol UDM field is set to ICMP. Else, if the ip_protocol field value is equal to 2 or IGMP, then the network.ip_protocol UDM field is set to IGMP. Else, if the ip_protocol field value is equal to 6 or TCP, then the network.ip_protocol UDM field is set to TCP. Else, if the ip_protocol field value is equal to 17 or UDP, then the network.ip_protocol UDM field is set to UDP. Else, if the ip_protocol field value is equal to 41 or IP6IN4, then the network.ip_protocol UDM field is set to IP6IN4. Else, if the ip_protocol field value is equal to 47 or GRE, then the network.ip_protocol UDM field is set to GRE. Else, if the ip_protocol field value is equal to 50 or ESP, then the network.ip_protocol UDM field is set to ESP. Else, if the ip_protocol field value is equal to 88 or EIGRP, then the network.ip_protocol UDM field is set to EIGRP. Else, if the ip_protocol field value is equal to 97 or ETHERIP, then the network.ip_protocol UDM field is set to ETHERIP. Else, if the ip_protocol field value is equal to 103 or PIM, then the network.ip_protocol UDM field is set to PIM. Else, if the ip_protocol field value is equal to 112 or VRRP, then the network.ip_protocol UDM field is set to VRRP.
LogInfo	metadata.description	Grok: Extracted the LogInfo field from the raw log and then mapped the LogInfo field to the metadata.description UDM field.
opcode	network.dns.opcode	Grok: Extracted the opcode field from the raw log. If the opcode field value is equal to Q, then the network.dns.opcode UDM field is set to 0. Else, if the opcode field value is equal to I, then the network.dns.opcode UDM field is set to 1. Else, if the opcode field value is equal to S, then the network.dns.opcode UDM field is set to 2. Else, if the opcode field value is equal to N, then the network.dns.opcode UDM field is set to 4. Else, if the opcode field value is equal to U, then the network.dns.opcode UDM field is set to 5.
PortNum	principal.port	Grok: Extracted the PortNum field from the raw log and then mapped the PortNum field to the principal.port UDM field.
Queued	about.labels.key/value (deprecated)	Grok: Extracted the Queued field from the raw log and then mapped the Queued field to the about.labels UDM field.
Queued	additional.fields	Grok: Extracted the Queued field from the raw log and then mapped the Queued field to the additional.fields UDM field.
req_or_resp	network.dns.response	Grok: Extracted req_or_resp from the raw log, If the req_or_resp field value is equal to R, then the network.dns.response UDM field is set to true. Else, the network.dns.response UDM field is set to false
send_receive_indicator	network.direction	Grok: Extracted the send_receive_indicator field from the raw log. If the send_receive_indicator field value is equal to Snd, then the network.direction UDM field is set to OUTBOUND. Else, if the send_receive_indicator field value is equal to Rcv, then the network.direction UDM field is set to INBOUND.
Socket	principal.labels.key/value (deprecated)	Grok: Extracted the Socket field from the raw log and then mapped the Socket field to the principal.labels UDM field.
Socket	additional.fields	Grok: Extracted the Socket field from the raw log and then mapped the Socket field to the additional.fields UDM field.
TimeQuery	about.labels.key/value (deprecated)	Grok: Extracted the TimeQuery field from the raw log and then mapped the TimeQuery field to the about.labels UDM field.
TimeQuery	additional.fields	Grok: Extracted the TimeQuery field from the raw log and then mapped the TimeQuery field to the additional.fields UDM field.
xid	network.dns.id	Grok: Extracted the xid field from the raw log and then mapped the xid field to the network.dns.id UDM field.
dns_record_type	additional.fields.key/value.string_value network.dns.questions.type	Grok: Extracted the dns_record_type field from the raw log. If the dns_record_type field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the dns_record_type field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the dns_record_type field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the dns_record_type field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the dns_record_type field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the dns_record_type field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the dns_record_type field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the dns_record_type field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the dns_record_type field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the dns_record_type field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the dns_record_type field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the dns_record_type field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the dns_record_type field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the dns_record_type field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the dns_record_type field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the dns_record_type field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the dns_record_type field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the dns_record_type field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the dns_record_type field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the dns_record_type field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the dns_record_type field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the dns_record_type field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the dns_record_type field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the dns_record_type field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the dns_record_type field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the dns_record_type field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the dns_record_type field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the dns_record_type field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the dns_record_type field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the dns_record_type field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the dns_record_type field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the dns_record_type field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the dns_record_type field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the dns_record_type field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the dns_record_type field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the dns_record_type field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the dns_record_type field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the dns_record_type field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the dns_record_type field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the dns_record_type field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the dns_record_type field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the dns_record_type field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the dns_record_type field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the dns_record_type field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the dns_record_type field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the dns_record_type field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the dns_record_type field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the dns_record_type field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the dns_record_type field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the dns_record_type field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the dns_record_type field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the dns_record_type field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the dns_record_type field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the dns_record_type field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the dns_record_type field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the dns_record_type field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the dns_record_type field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the dns_record_type field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the dns_record_type field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the dns_record_type field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the dns_record_type field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the dns_record_type field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the dns_record_type field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the dns_record_type field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the dns_record_type field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the dns_record_type field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the dns_record_type field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the dns_record_type field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the dns_record_type field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the dns_record_type field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the dns_record_type field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the dns_record_type field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the dns_record_type field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the dns_record_type field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the dns_record_type field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the dns_record_type field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the dns_record_type field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the dns_record_type field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the dns_record_type field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the dns_record_type field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the dns_record_type field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the dns_record_type field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the dns_record_type field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the dns_record_type field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the dns_record_type field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the dns_record_type field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the dns_record_type field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the dns_record_type field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the dns_record_type field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the dns_record_type field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
CLASS	network.dns.additional.class	PREREQUISITE SECTION CLASS
DATA	network.dns.additional.data	PREREQUISITE SECTION DATA
Name	network.dns.additional.name	PREREQUISITE SECTION Name
TTL	network.dns.additional.ttl	PREREQUISITE SECTION TTL
TYPE	network.dns.additional.type	PREREQUISITE SECTION TYPE
Flags	additional.fields.key/value.string_value	Grok: Extracted the Flags field from the raw log and then mapped the Flags field to the additional.fields.key/value.string_value UDM field.
CLASS	network.dns.additional.class	UPDATE SECTION CLASS
DATA	network.dns.additional.data	UPDATE SECTION DATA
Name	network.dns.additional.name	UPDATE SECTION Name
TTL	network.dns.additional.ttl	UPDATE SECTION TTL
TYPE	network.dns.additional.type	UPDATE SECTION TYPE
ZCLASS	network.dns.additional.class	ZONE SECTION ZCLASS
Name	network.dns.additional.name	ZONE SECTION Name
ZTYPE	network.dns.additional.type	ZONE SECTION ZTYPE
QR	additional.fields.key/value.string_value
OPCODE	additional.fields.key/value.string_value
AA	additional.fields.key/value.string_value
TC	additional.fields.key/value.string_value
RD	additional.fields.key/value.string_value
RA	additional.fields.key/value.string_value
Z	additional.fields.key/value.string_value
CD	additional.fields.key/value.string_value
AD	additional.fields.key/value.string_value
RCODE	additional.fields.key/value.string_value
ZCOUNT	additional.fields.key/value.string_value
PRECOUNT	additional.fields.key/value.string_value
ARCOUNT	additional.fields.key/value.string_value
UPCOUNT	additional.fields.key/value.string_value
QCOUNT	additional.fields.key/value.string_value
ACOUNT	additional.fields.key/value.string_value
NSCOUNT	additional.fields.key/value.string_value
host_name	intermediary.hostname	Grok: Extracted the host_name field from the raw log and then mapped the host_name field to the intermediary.hostname UDM field.
os_type	intermediary.asset.platform_software.platform	Grok: Extracted the os_type field from the raw log. If the os_type extracted field value matches the regular expression pattern (?i)windows, then the intermediary.asset.platform_software.platform UDM field is set to WINDOWS. Else, if the os_type extracted field value matches the regular expression pattern (?i)linux, then the intermediary.asset.platform_software.platform UDM field is set to LINUX. Else, if the os_type extracted field is not empty, then the os_type extracted field is mapped with the intermediary.asset.attribute.labels UDM field.

他のログ

元のログフィールド	UDM フィールド	注
	network.dns.questions.name, target.hostname	Grok: Extracted the record_name field from the raw log and then mapped the record_name field to the network.dns.questions.name and target.hostname UDM field.
	network.dns.questions.type	Grok: Extracted the record_type field from the raw log. If the record_type field value is equal to A, then the network.dns.question.type UDM field is set to 1. Else, if the record_type field value is equal to NS, then the network.dns.question.type UDM field is set to 2. Else, if the record_type field value is equal to MD, then the network.dns.question.type UDM field is set to 3. Else, if the record_type field value is equal to MF, then the network.dns.question.type UDM field is set to 4. Else, if the record_type field value is equal to CNAME, then the network.dns.question.type UDM field is set to 5. Else, if the record_type field value is equal to SOA, then the network.dns.question.type UDM field is set to 6. Else, if the record_type field value is equal to MB, then the network.dns.question.type UDM field is set to 7. Else, if the record_type field value is equal to MG, then the network.dns.question.type UDM field is set to 8. Else, if the record_type field value is equal to MR, then the network.dns.question.type UDM field is set to 9. Else, if the record_type field value is equal to NULL, then the network.dns.question.type UDM field is set to 10. Else, if the record_type field value is equal to WKS, then the network.dns.question.type UDM field is set to 11. Else, if the record_type field value is equal to PTR, then the network.dns.question.type UDM field is set to 12. Else, if the record_type field value is equal to HINFO, then the network.dns.question.type UDM field is set to 13. Else, if the record_type field value is equal to MINFO, then the network.dns.question.type UDM field is set to 14. Else, if the record_type field value is equal to MX, then the network.dns.question.type UDM field is set to 15. Else, if the record_type field value is equal to TXT, then the network.dns.question.type UDM field is set to 16. Else, if the record_type field value is equal to RP, then the network.dns.question.type UDM field is set to 17. Else, if the record_type field value is equal to AFSDB, then the network.dns.question.type UDM field is set to 18. Else, if the record_type field value is equal to X25, then the network.dns.question.type UDM field is set to 19. Else, if the record_type field value is equal to ISDN, then the network.dns.question.type UDM field is set to 20. Else, if the record_type field value is equal to RT, then the network.dns.question.type UDM field is set to 21. Else, if the record_type field value is equal to NSAP, then the network.dns.question.type UDM field is set to 22. Else, if the record_type field value is equal to NSAP-PT, then the network.dns.question.type UDM field is set to 23. Else, if the record_type field value is equal to SIG, then the network.dns.question.type UDM field is set to 24. Else, if the record_type field value is equal to KEY, then the network.dns.question.type UDM field is set to 25. Else, if the record_type field value is equal to PX, then the network.dns.question.type UDM field is set to 26. Else, if the record_type field value is equal to GPOS, then the network.dns.question.type UDM field is set to 27. Else, if the record_type field value is equal to AAAA, then the network.dns.question.type UDM field is set to 28. Else, if the record_type field value is equal to LOC, then the network.dns.question.type UDM field is set to 29. Else, if the record_type field value is equal to NXT, then the network.dns.question.type UDM field is set to 30. Else, if the record_type field value is equal to EID, then the network.dns.question.type UDM field is set to 31. Else, if the record_type field value is equal to NIMLOC, then the network.dns.question.type UDM field is set to 32. Else, if the record_type field value is equal to SRV, then the network.dns.question.type UDM field is set to 33. Else, if the record_type field value is equal to ATMA, then the network.dns.question.type UDM field is set to 34. Else, if the record_type field value is equal to NAPTR, then the network.dns.question.type UDM field is set to 35. Else, if the record_type field value is equal to KX, then the network.dns.question.type UDM field is set to 36. Else, if the record_type field value is equal to CERT, then the network.dns.question.type UDM field is set to 37. Else, if the record_type field value is equal to A6, then the network.dns.question.type UDM field is set to 38. Else, if the record_type field value is equal to DNAME, then the network.dns.question.type UDM field is set to 39. Else, if the record_type field value is equal to SINK, then the network.dns.question.type UDM field is set to 40. Else, if the record_type field value is equal to OPT, then the network.dns.question.type UDM field is set to 41. Else, if the record_type field value is equal to APL, then the network.dns.question.type UDM field is set to 42. Else, if the record_type field value is equal to DS, then the network.dns.question.type UDM field is set to 43. Else, if the record_type field value is equal to SSHFP, then the network.dns.question.type UDM field is set to 44. Else, if the record_type field value is equal to IPSECKE, then the network.dns.question.type UDM field is set to 45. Else, if the record_type field value is equal to RRSIG, then the network.dns.question.type UDM field is set to 46. Else, if the record_type field value is equal to NSEC, then the network.dns.question.type UDM field is set to 47. Else, if the record_type field value is equal to DNSKEY, then the network.dns.question.type UDM field is set to 48. Else, if the record_type field value is equal to DHCID, then the network.dns.question.type UDM field is set to 49. Else, if the record_type field value is equal to NSEC3, then the network.dns.question.type UDM field is set to 50. Else, if the record_type field value is equal to NSEC3PA, then the network.dns.question.type UDM field is set to 51. Else, if the record_type field value is equal to TLSA, then the network.dns.question.type UDM field is set to 52. Else, if the record_type field value is equal to SMIMEA, then the network.dns.question.type UDM field is set to 53. Else, if the record_type field value is equal to UNASSIG, then the network.dns.question.type UDM field is set to 54. Else, if the record_type field value is equal to HIP, then the network.dns.question.type UDM field is set to 55. Else, if the record_type field value is equal to NINFO, then the network.dns.question.type UDM field is set to 56. Else, if the record_type field value is equal to RKEY, then the network.dns.question.type UDM field is set to 57. Else, if the record_type field value is equal to TALINK, then the network.dns.question.type UDM field is set to 58. Else, if the record_type field value is equal to CDS, then the network.dns.question.type UDM field is set to 59. Else, if the record_type field value is equal to CDNSKEY, then the network.dns.question.type UDM field is set to 60. Else, if the record_type field value is equal to OPENPGP, then the network.dns.question.type UDM field is set to 61. Else, if the record_type field value is equal to CSYNC, then the network.dns.question.type UDM field is set to 62. Else, if the record_type field value is equal to ZONEMD, then the network.dns.question.type UDM field is set to 63. Else, if the record_type field value is equal to SVCB, then the network.dns.question.type UDM field is set to 64. Else, if the record_type field value is equal to HTTPS, then the network.dns.question.type UDM field is set to 65. Else, if the record_type field value is equal to SPF, then the network.dns.question.type UDM field is set to 99. Else, if the record_type field value is equal to UINFO, then the network.dns.question.type UDM field is set to 100. Else, if the record_type field value is equal to UID, then the network.dns.question.type UDM field is set to 101. Else, if the record_type field value is equal to GID, then the network.dns.question.type UDM field is set to 102. Else, if the record_type field value is equal to UNSPEC, then the network.dns.question.type UDM field is set to 103. Else, if the record_type field value is equal to NID, then the network.dns.question.type UDM field is set to 104. Else, if the record_type field value is equal to L32, then the network.dns.question.type UDM field is set to 105. Else, if the record_type field value is equal to L64, then the network.dns.question.type UDM field is set to 106. Else, if the record_type field value is equal to LP, then the network.dns.question.type UDM field is set to 107. Else, if the record_type field value is equal to EUI48, then the network.dns.question.type UDM field is set to 108. Else, if the record_type field value is equal to EUI64, then the network.dns.question.type UDM field is set to 109. Else, if the record_type field value is equal to TKEY, then the network.dns.question.type UDM field is set to 249. Else, if the record_type field value is equal to TSIG, then the network.dns.question.type UDM field is set to 250. Else, if the record_type field value is equal to IXFR, then the network.dns.question.type UDM field is set to 251. Else, if the record_type field value is equal to AXFR, then the network.dns.question.type UDM field is set to 252. Else, if the record_type field value is equal to MAILB, then the network.dns.question.type UDM field is set to 253. Else, if the record_type field value is equal to MAILA, then the network.dns.question.type UDM field is set to 254. Else, if the record_type field value is equal to ALL, then the network.dns.question.type UDM field is set to 255. Else, if the record_type field value is equal to URI, then the network.dns.question.type UDM field is set to 256. Else, if the record_type field value is equal to CAA, then the network.dns.question.type UDM field is set to 257. Else, if the record_type field value is equal to AVC, then the network.dns.question.type UDM field is set to 258. Else, if the record_type field value is equal to DOA, then the network.dns.question.type UDM field is set to 259. Else, if the record_type field value is equal to AMTRELA, then the network.dns.question.type UDM field is set to 260. Else, if the record_type field value is equal to TA, then the network.dns.question.type UDM field is set to 32768. Else, if the record_type field value is equal to DLV, then the network.dns.question.type UDM field is set to 32769.
client	principal.ip	Grok: Extracted the client field from the raw log. If the value of the client field matches the regular expression ip, then the principal.ip UDM field is mapped to client. Else, principal.hostname UDM field is mapped to client.
	principal.hostname	Grok: Extracted the syslog_host field from the raw log. If the value of the client field matches the regular expression ip, then the principal.hostname UDM field is mapped to the syslog_host.
	network.dns.questions.class	Grok: Extracted the qclass field from the raw log. If the qclass field value is equal to IN, then network.dns.questions.class is set to 1. Else, if the qclass field value is equal to CH, then network.dns.questions.class is set to 3. Else, if the qclass field value is equal to HS, then network.dns.questions.class is set to 4.

フィールド マッピング リファレンス: イベント ID から UDM イベントタイプへ

このセクションでは、パーサーがイベント ID を UDM event_types にマッピングする方法について説明します。 一般に、イベントは NETWORK_DNS metadata.event_type にマッピングされます。ただし、次のセクションのイベント ID を除きます。

さらにサポートが必要な場合 コミュニティ メンバーや Google SecOps のプロフェッショナルから回答を得ることができます。