Generate a reports on DNS records changes

sheushen · ‎08-19-2019

Hi,

Is there any way I can produce a report which shows all the DNS record changes done within a time frame in a DNS view?

I would like to generate a report which shows all the new, edited and deleted records inside the Internal view.

bkoshy · ‎08-20-2019

Hi,

This should do it. Pretty straight forward.

index=ib_audit sourcetype=ib:audit earliest=@d DnsView=NAME ACTION=Created OR Modified OR Deleted OBJECT_TYPE=*Record |table TIMESTAMP, ADMIN, ACTION, OBJECT_TYPE, OBJECT_NAME |rename ACTION as Action, TIMESTAMP as Time, ADMIN as User, OBJECT_TYPE as "Record Type", OBJECT_NAME as "Record Name/Data"

Note:
Replace DnsView=NAME with the name of your DNS View
earliest=@d --> Data for the day from 00:00hrs
earliest=-2d or -1w or -24h --> Data from days ago or 1 week ago or 24 hours ago, till now
earliest=-2d@d --> Data from 00:00 hrs day before yesterday

Sample output.PNG

Best Regards,
Bibin Thomas

sheushen · ‎08-22-2019

HI bkoshy,

How do I extract the comment string too?

bkoshy · ‎08-23-2019

No field extraction needed since the field is already available. You just need to add it to your table.

index=ib_audit sourcetype=ib:audit earliest=-7d DnsView=Axe ACTION=Created OR Modified OR Deleted OBJECT_TYPE=*Record |table TIMESTAMP, ADMIN, ACTION, OBJECT_TYPE, OBJECT_NAME, comment |rename ACTION as Action, TIMESTAMP as Time, ADMIN as User, OBJECT_TYPE as "Record Type", OBJECT_NAME as "Record Name/Data". comment as Comment

Best Regards,
Bibin Thomas

THE GAME HAS CHANGED

Reporting

Generate a reports on DNS records changes

Re: Generate a reports on DNS records changes

Re: Generate a reports on DNS records changes

Re: Generate a reports on DNS records changes