How can I filter internal DNS queries in the logs?



  • I am analysing logs to tune what shall be indexed in the SIEM and what shall not. I am a PfSense newbie. How can I identify logs coming from DNS requests, and more precisely internal ones which I want to drop ?



  • Hi,

    Crank up the DNS (Resolver) log details.
    Use an external logger - have you logs send to a device with syslog, rsyslog, whatever.
    What is SIEM ?
    What do you mean with

    @alsii said in How can I filter internal DNS queries in the logs?:

    internal ones

    are there also external ones ??

    Why dropping DNS requests ?



  • Hi Gertjan,
    We forward the logs in a syslog server, and then the relevant ones in a Security Information and Event Management system (SIEM), splunk based. So we can always investigate in the syslog server (no log dropped at all), but for our security needs, internal DNS requests are irrelevant and I don't want to pay to index them in splunk.


Log in to reply