Alert on DNS "failed to load" event

On rare occasion, a malformed zone can trigger a failed to load event on the DNS engine, We have been asked to create a report that the zone fails to load and get an alert on it.


1) creating the field extraction: 


(?=[^f]*(?:failed to load|f.*failed to load))^[^'\n]*'(?P<fqdn>[^']+)(?:[^'\n]*'){2}(?P<type>\w+)(?:[^ \n]* ){3}'(?P<dns_view>\w+)(?:[^ \n]* ){4}(?P<root_cause>.+)

 1-field extraction.png


2) Search & table

index=ib_syslog "failed to load" | table _time,host,dns_view,fqdn,type,root_cause



3) Save as Real-time Alert and set the appropriate actions


4) View alert in near real time 


Re: Alert on DNS "failed to load" event

Interesting report Nicolas!  Thanks for posting!!


