pdns-protobuf-receiver

pdns-protobuf-receiver copied to clipboard

Hello,

I use this piece of software to forward in JSON format the queries events to our SIEM product. But I noticed that for some packets, the latency field value is not quoted, so the JSON parsing is impossible in our SIEM.

Latency field value quoted : {"dns_message": "CLIENT_RESPONSE", "socket_family": "IPv4", "socket protocol": "UDP", "from_address": "1.2.3.4", "to_address": "2.2.3.3", "query_time": "2024-02-22T13:19:29.186304+00:00", "response_time": "2024-02-22T13:19:29.363495+00:00", "latency": 0.177191, "query_type": "A", "query_name": "example.com.", "return_code": "SERVFAIL", "bytes": 31}

And another one unquoted : {"dns_message": "CLIENT_RESPONSE", "socket_family": "IPv4", "socket protocol": "UDP", "from_address": "1.2.3.4", "to_address": "2.2.3.3", "query_time": "2024-02-22T12:47:20.758735+00:00", "response_time": "2024-02-22T12:47:20.758832+00:00", "latency": 9.7e-05, "query_type": "A", "query_name": "good.fqdn.com.", "return_code": "NOERROR", "bytes": 90}

Could you look into this issue please ?

Best regards.

EDIT : both values are unquoted as they are considered as integers I think. But the format with the exponent inside is not recognized by our logs receivers as a valid value.

I've managed to workaround this issue by disabling scientific notation in receiver.py : time_latency = f'{time_latency:.9f}' Maybe some logs receivers can manage with this notation, ours not. Maybe we could manage this with a wrapper script option ?

Can you switch to the DNScollector tool ? A full support of the PowerDNS protobuf is implemented.

Hello @dmachard and thank you for the hint. I'll give it a try 👍